windows - RabbitMq og 'Fatal error: handshake failure - handshake\_decode\_error'

Indlæg af Hanne Mølgaard Plasc

Problem



Jeg arbejder med Windows Server 2012, Erlang 19.2 og RabbitMq 3.6.6. Jeg har problemer med at konfigurere forbindelsen mellem endepunkter ved hjælp af TLS. Jeg har prøvet hvert svar på SO, såvel som alle RabbitMq docs her og her. Ikke sikker på hvad vi gør galt. [9] [10]


I fejlfindingslinket er alle testene undtagen stykket 'Forsøg SSL-forbindelse til mægler'. Det er her problemet ligger, og jeg er ikke sikker på hvorfor. [11]


Når jeg går gennem dokumentationen om fejlfinding for at se, om du kan få en peer-forbindelse over SSL på port 8443, fungerer det fint. Så forsøger man at oprette forbindelse til mægleren på havn 5671 fejler og siger dårlig håndtryk.


Skifte RabbitMq config filen til 8443 gør intet andet end at gøre peer to peer arbejde på 5671 og fejle på 8443.


Min config-fil:


[
  {rabbit, [
     {ssl\_listeners, [5671]},
     {ssl\_options, [{cacertfile,"C:\rabbitcerts\testca\cacert.pem"},
                    {certfile,"C:\rabbitcerts\server\cert.pem"},
                    {keyfile,"C:\rabbitcerts\server\key.pem"},
                    {depth, 2},
                    {verify,verify\_peer},
                    {fail\_if\_no\_peer\_cert,false}]}
   ]}
].


Kører denne kommando:



  c: \ rabbitcerts> openssl s\_client-connect localhost: 5671 -cert klient/cert.pem -key klient/key.pem -CAfile testca/cacert.pem



Producerer denne fejl:


Loading 'screen' into random state - done
CONNECTED(000001BC)
write:errno=10054


Og i logfilen:


=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Memory limit set to 716MB of 1791MB total.

=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Disk free limit set to 50MB

=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Limiting to approx 8092 file handles (7280 sockets)

=INFO REPORT==== 19-Jan-2017::16:42:50 ===
FHC read buffering:  OFF
FHC write buffering: ON

=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Priority queues enabled, real BQ is rabbit\_variable\_queue

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Starting rabbit\_node\_monitor

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Management plugin: using rates mode 'basic'

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
msg\_store\_transient: using rabbit\_msg\_store\_ets\_index to provide index

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
msg\_store\_persistent: using rabbit\_msg\_store\_ets\_index to provide index

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started TCP Listener on [::]:5672

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started TCP Listener on 0.0.0.0:5672

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started SSL Listener on [::]:5671

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started SSL Listener on 0.0.0.0:5671

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Management plugin started. Port: 15672

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics event collector started.

...

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics database started.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_queue\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_queue\_stats\_deliver\_get with interval 5000.

...

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_queue\_exchange\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_vhost\_stats\_deliver\_get with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_vhost\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_vhost\_stats\_queue\_msg\_rates with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_vhost\_stats\_queue\_msg\_counts with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_vhost\_stats\_coarse\_conn\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_queue\_stats\_deliver\_get with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_queue\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_queue\_stats\_queue\_msg\_counts with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_stats\_deliver\_get with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_stats\_queue\_msg\_counts with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_stats\_process\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_exchange\_stats\_deliver\_get with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_channel\_exchange\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_exchange\_stats\_fine\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr\_node\_stats\_coarse\_node\_stats with interval 5000.

...

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table connection\_stats with interval 5000.

=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Server startup complete; 6 plugins started.
 * rabbitmq\_management
 * rabbitmq\_web\_dispatch
 * webmachine
 * mochiweb
 * rabbitmq\_management\_agent
 * amqp\_client

=ERROR REPORT==== 19-Jan-2017::16:54:39 ===
SSL: hello: tls\_handshake.erl:202:Fatal error: handshake failure - handshake\_decode\_error


Hvad på jorden mangler jeg?


Jeg har nået ud til min netværksadministrator for at se om der er en konfiguration på serveren, som vi måske mangler, pr. Svar på SO, men jeg vil gerne høre fra andre, som jeg er sikker på, jeg kan ikke vær den eneste der støder på problemer ...


UPDATE


Det ser ud til at jeg bliver tættere ved at bruge den nye kommando fra @jww.



  openssl s\_client-connect mymachine: 5671 -tls1 -servername mymachine



Produktion:


Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 /CN=MyTestCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=$(hostname)/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU
CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL
1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP
73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp
N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1
ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz
XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd
cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF
/XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw
QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy
oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ
IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o
-----END CERTIFICATE-----
subject=/CN=$(hostname)/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1659 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0E00F18E516DBD5C7EE7F7FE070BDC09FBE3B731FA8D1DF2ECD75E455BB8A6EF
    Session-ID-ctx:
    Master-Key: 61F018A5B629EE6015F88B076AEA8765E153A8CCB2241766DFD0BCC369DC703C9BF42249E47C93EEA318899615732390
    Key-Arg   : None
    Start Time: 1484872012
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

Bedste reference


I dette særlige tilfælde var alt konfigureret korrekt. Det ser imidlertid ud til, at når der oprettes en peer-forbindelse i RabbitMq Console til fejlfinding, opretter den en forbindelse over en anden protokol end når man forsøger at oprette forbindelse til mægleren.


Så, hvor dette ikke virkede:



  openssl s\_client-connect localhost: 5671 -cert klient/cert.pem -key client/key.pem -CAfile testca/cacert.pem



Jeg tilføjede -tls1 til argumenterne, pr. @ Jwws anden anbefaling, og det var alt, hvad jeg havde brug for for at skabe den sikre forbindelse.



  openssl s\_client-connect localhost: 5671 -tls1 -cert klient/cert.pem -key client/key.pem -CAfile testca/cacert.pem



Resultatet er en Verify code: (ok).


Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 /CN=MyTestCA
verify return:1
depth=0 /CN=$(hostname)/O=server
verify return:1
---
Certificate chain
 0 s:/CN=$(hostname)/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU
CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL
1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP
73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp
N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1
ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz
XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd
cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF
/XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw
QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy
oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ
IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o
-----END CERTIFICATE-----
subject=/CN=$(hostname)/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1659 bytes and written 2163 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 56CC3AB350BF91DB4CD2A89F62FD60322E553628C381E11B179BD9C8D22184BF
    Session-ID-ctx:
    Master-Key: 6FB8A241FD0A5C3ECCBE88DE4C36C412CBE5E8D58DAAB209D24438F72CCA7F9332511A277EBC0919775490057F46CCC7
    Key-Arg   : None
    Start Time: 1484921846
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Andre referencer 1


Jeg havde 'Connection reset by peer' -fejl for nylig, da jeg oprettede dev kanin.
ting at prøve:



  1. Installer Erlang 18.2 i stedet for 19.2. Jeg havde slet ingen held med 19.X versioner, når jeg opsatte TLS. Jeg havde mærkelige fejl og intet blev logget af RabbitMQ.

  2. Når du prøver Erlang 18.2, se på your\_instance-sasl.log blev TLS-problemer logget der for mig med tilstrækkelig detaljer, så jeg kunne løse disse problemer.



Jeg har selv installeret RabbitMQ server på Centos7 og klient på Windows. For dev-miljøet brugte jeg tls-gen til at generere certifikater. Var meget let. [13]