[rabbitmq-discuss] SSL upgrade error cacrtfile

Wed Jun 4 08:51:07 BST 2014

I'm trying to get SSL working on my Rabbit server, following the 
instructions at https://www.rabbitmq.com/ssl.html , but am getting this 
error when making connections:

*started SSL Listener on [::]:5671*
*error on AMQP connection <0.678.0>: 
{ssl_upgrade_error,{options,{cacertfile,[47,11... *
in broker log file.

I'm following the SSL troubleshooting 
guide http://www.rabbitmq.com/troubleshooting-ssl.html

** Check SSL support in Erlang               ----- SUCCESS*
ssl:versions().
SSL version: [{ssl_app,"5.3"},
 {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
RabbitMQ 3.3.0, Erlang R16B01

** Check keys and certificates with OpenSSL       ------ SUCCESS*
    openssl client output is listed below 
    *openssl s_client -connect localhost:8443 -cert client/cert.pem -key **client/key.pem 
-CAfile testca/cacert.pem*

*CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = primedev, O = server
verify return:1
---
Certificate chain
 0 s:/CN=primedev/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNDA1MjgwNjU2NDNaFw0xNTA1MjgwNjU2NDNaMCQxETAPBgNVBAMM
CHByaW1lZGV2MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC9IW8zoWmE8tUr46rc+QWrPYBlpHefUZ7HP1smlrN9rujrZM7l
ja7w+M7rHJSt0bTQ+dFfu1RTmWHkdgI4YIdgGvmhU3Bcij5Cyxn+vtZUaIAeYGfQ
QfPj6WsNiHOem/ieAkbhX+AvPDD7DBjlrqbo9ZtzeJxkhe/ENWHRlpdPNNpHpvbw
2azTPO55Nb2sDbeUOP0Bv1OieXM3r7CNruFF+KTAzxdC18kUM0Ty4jmwG3L1DFlF
zpm77ByB5DjFdNs+tBZ+1Fi1WrHp2NsSJe0IsCdCF9BG3RacpQv5tt/5/qL/af4G
xDyqebE/G9RwbM6Mnti3wGY34EGMtGFao/vDAgMBAAGjLzAtMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
A4IBAQAL4TTARGRyGq/EMtbfkrQbInMoIPaV+VT8X6EKCvBrhjQZZ1bGHBYEBhry
EHQAJ1eiRPPLpVe4zpIP6xU8tiN/sIm4XOyj7hstSTThnixjNgZRmwUt/blMKA0p
PsFEKnAf2brwryO4KJcKbfjLCJfyWje8nXLR9dz/qrJ8+Vwve76lMnAoRqjDw1OF
z08evHevN3Mdb3Hyvd9WFRNMpQkjrmfx+v5dcXcbSOlpwtHIHMmX3Pq7QgXQdyo/
vNmGBYqyLofBwtKMOYbfhoksyJbCOeDCG5fYMUnSI1EqivjLPQX/0Dt2s0UzWOip
G2FWCQGgOKfLHWIawGNQcSpM83x4
-----END CERTIFICATE-----
subject=/CN=primedev/O=server
issuer=/CN=MyTestCA
---
No client certificate CA names sent
---
SSL handshake has read 2176 bytes and written 247 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 
81472A55C8EC471863BFC884C40322AC1A5C5FA00C8D845E71A98E122D60185E
    Session-ID-ctx:
    Master-Key: 
BB3BBA13077D4152455620760258906F1CF576966656D4417C3F80B1F7C1B357DCEBA4434363
879177A7AF55332FBC7A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 96 aa 8f 94 70 9c 42 0c-1b 44 62 f9 8c a8 42 5d   
....p.B..Db...B]
    0010 - fb 24 c2 7a 38 4e 69 e5-89 3d 71 ba 8f 59 2a 1a   
.$.z8Ni..=q..Y*.
    0020 - a0 9d e2 cc a8 fb 3d 71-b5 b3 d6 01 17 d9 22 b9   
......=q......".
    0030 - 6a 6b 73 59 1b 07 b7 84-23 b2 c7 08 4d 7f 88 2a   
jksY....#...M..*
    0040 - 6b 75 e5 3c 25 ca 26 da-77 b8 64 ce 72 15 30 da   ku.
<%.&.w.d.r.0.
    0050 - 5b 11 98 0a 25 dc 96 a3-77 bf b8 a0 e1 38 4e 22   
[...%...w....8N"
    0060 - 19 78 bc 5b 89 5b 3c f1-d5 17 e8 4f 57 0f 15 dc   .x.[.
[<....OW...
    0070 - 97 09 d8 7c 64 ce 68 e1-3f 18 95 23 3f 80 6a c7   
...|d.h.?..#?.j.
    0080 - 63 72 53 20 96 34 51 09-d3 28 8d 8c 73 03 31 a0   crS .4Q..
(..s.1.
    0090 - d0 73 3f 6a 19 25 11 10-5f d3 02 d5 92 75 ec f0   .s?
j.%.._....u..

    Compression: 1 (zlib compression)
    Start Time: 1401261748
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---*

** Check broker is listening            ------ SUCCESS*

*started SSL Listener on [::]:5671*

** Attempt SSL connection to broker          ------ FAILED*

*=INFO REPORT==== ===
accepting AMQP connection <0.223.0> (.... -> 127.0.0.1:5671)*

After this got same error 

*error on AMQP connection <0.678.0>: {ssl_upgrade_error,{options,{cacertfile,[47,11... *

Here is what openssl s_client is showing when trying to connect with rmq ssl port

*openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---*

Please help me out to establish a SSL rabbit mq connection. Thanks in advance.

--

Thanks & Regards

Narayan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140604/04d6ac97/attachment.html>