user2467944
Reputation: 11
TLS server: In state connection received CLIENT ALERT: Fatal - Unknown CA
I did enable TLS on my local, below are the setting in the rabbitMQ.config file.
log.console = true
log.console.level = debug
log.file.level = debug
listeners.tcp = none
listeners.ssl.default = 5671
ssl_options.cacertfile = C:/Users/UserId/AppData/Roaming/RabbitMQ/result-new/ca_certificate.pem
ssl_options.certfile = C:/Users/UserId/AppData/Roaming/RabbitMQ/result-new/server_PNQ1-LP98R10J3_certificate.pem
ssl_options.keyfile = C:/Users/UserId/AppData/Roaming/RabbitMQ/result-new/server_PNQ1-LP98R10J3_key.pem
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
The RabbitMQ service is getting started, but when I try to connect to the rabbitMQ using code it is throwing error :
RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable
---> System.AggregateException: One or more errors occurred. (The remote certificate is invalid according to the validation procedure.)
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslStream.ThrowIfExceptional()
at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__64_2(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at RabbitMQ.Client.Impl.SslHelper.<>c__DisplayClass2_0.<TcpUpgrade>b__0(SslOption opts)
at RabbitMQ.Client.Impl.SslHelper.TcpUpgrade(Stream tcpStream, SslOption options)
at RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout)
at RabbitMQ.Client.Framing.Impl.IProtocolExtensions.CreateFrameHandler(IProtocol protocol, AmqpTcpEndpoint endpoint, ArrayPool`1 pool, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout)
at RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint)
at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
--- End of inner exception stack trace ---
at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
at RabbitMQ.Client.Framing.Impl.AutorecoveringConnection.Init(IEndpointResolver endpoints)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
--- End of inner exception stack trace ---
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection()
at RabbitMQ.Explore.Program.RabbitMQWithSSLEnable() in C:\Users\E5695455\Desktop\RabbitMQ-RnD\RabbitMQ.Explore-master\RabbitMQ.Explore-master\RabbitMQ.Explore\Program.cs:line 167
And on rabbitMQ logs side, below is the error
2023-09-13 17:29:45.329000+05:30 [notice] <0.3749.0> TLS server: In state connection received CLIENT ALERT: Fatal - Unknown CA
2023-09-13 17:29:45.329000+05:30 [notice] <0.3749.0>
2023-09-13 17:29:45.329000+05:30 [info] <0.3752.0> accepting AMQP connection <0.3752.0> ([::1]:61235 -> [::1]:5671)
2023-09-13 17:29:45.330000+05:30 [error] <0.3752.0> closing AMQP connection <0.3752.0> ([::1]:61235 -> [::1]:5671):
2023-09-13 17:29:45.330000+05:30 [error] <0.3752.0> {inet_error,{tls_alert,{unknown_ca,"TLS server: In state connection received CLIENT ALERT: Fatal - Unknown CA\n"}}}
2023-09-13 17:29:45.330000+05:30 [debug] <0.3755.0> Closing all channels from connection '[::1]:61235 -> [::1]:5671' because it has been closed
I did checked with the https://www.rabbitmq.com/troubleshooting-ssl.html, everything looks fine. I created certificate using tls-gen https://github.com/rabbitmq/tls-gen
Using below code for rabbitMQ Connection:
try
{
string rabbitmqHostName = "PNQ1-LP98R10J3";
string rabbitmqServerName = "PNQ1-LP98R10J3";
string certificateFilePath = "C:\\\\Users\\\\UserId\\\\AppData\\\\Roaming\\\\RabbitMQ\\\\fromclient\\\\client_vwmazadsolapac4_certificate.pem";
string certificatePassphrase = "";
string rabbitmqUsername = "test";
string rabbitmqPassword = "test";
var mTLSEnabled = false;
var factory = new ConnectionFactory();
factory.Uri = new Uri($"amqps://{rabbitmqUsername}:{rabbitmqPassword}@{rabbitmqHostName}:5671");
// Note: This should NEVER be "localhost"
factory.Ssl.ServerName = rabbitmqServerName;
if (mTLSEnabled)
{
// Path to my .p12 file.
factory.Ssl.CertPath = certificateFilePath;
// Passphrase for the certificate file - set through OpenSSL
factory.Ssl.CertPassphrase = certificatePassphrase;
}
factory.Ssl.Enabled = true;
// Make sure TLS 1.2 is supported & enabled by your operating system
factory.Ssl.Version = SslProtocols.Tls12;
// This is the default RabbitMQ secure port
factory.Port = AmqpTcpEndpoint.UseDefaultPort;
factory.VirtualHost = "/";
using (var connection = factory.CreateConnection())
{
using (var channel = connection.CreateModel())
{
Logger.LogWriter($"{System.Reflection.MethodBase.GetCurrentMethod().Name} - Successfully connected and opened a channel");
Console.WriteLine("Successfully connected and opened a channel");
channel.QueueDeclare("rabbitmq-dotnet-test", false, false, false, null);
Logger.LogWriter($"{System.Reflection.MethodBase.GetCurrentMethod().Name} - Successfully declared a queue");
Console.WriteLine("Successfully declared a queue");
channel.QueueDelete("rabbitmq-dotnet-test");
Console.WriteLine("Successfully deleted the queue");
Logger.LogWriter($"{System.Reflection.MethodBase.GetCurrentMethod().Name} - Successfully deleted a queue");
}
}
}
catch (System.Exception ex)
{
var error = ex.ToString();
Logger.LogWriter($"{System.Reflection.MethodBase.GetCurrentMethod().Name} - {error}");
System.Console.WriteLine(error);
}
I am not able to get the reason it is throwing error. I tried the things given in https://www.rabbitmq.com/troubleshooting-ssl.htmt and that seems to be working fine.
rabbitmq-diagnostics.bat --silent tls_versions enter image description here
rabbitmq-diagnostics.bat cipher_suites --format openssl --silent enter image description here
Use OpenSSL Tools to Test TLS Connections enter image description here
Upvotes: 1
Views: 1571
Answers (0)
Related Questions
- .NET Client unable to connect with AWS RabbitMQ | TLS server: In state hello at tls_handshake.erl:346 generated SERVER ALERT
- 'An existing connection was forcibly closed by the remote host' with Mass Transit and RabbitMQ
- TLS handshake Received fatal alert: internal_error
- A fatal error occurred while creating a TLS client credential. The internal error state is 10013
- RabbitMQ Server TLS, client alert: Fatal - Certificate Unknown when starting service
- REST client with TLS returns SSLHandshakeException: Received fatal alert: handshake_failure
- How to enable TLS 1.2 for outbound request from windows server 2012 R2?
- Login-AzureRmAccount Could not establish trust relationship for the SSL/TLS secure channel