我正在使用Windows Server 2012,Erlang 19.2和RabbitMq 3.6.6。我在使用TLS配置端点之间的连接时遇到问题。我已经尝试过关于SO的所有答案,以及所有RabbitMq文档here和here。不确定我们做错了什么。
在troubleshooting link here所有测试中传递,除了"尝试SSL连接到经纪人"片。这就是问题所在,我不确定原因。
当我查看有关故障排除的文档时,看看您是否可以通过端口8443上的SSL获得对等连接,它可以正常工作。然后尝试连接到端口5671上的代理失败,说不好握手。
将RabbitMq配置文件切换为8443不会做任何事情,除了使对等工作在5671上并在8443上失败。
我的配置文件:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"C:\\rabbitcerts\\testca\\cacert.pem"},
{certfile,"C:\\rabbitcerts\\server\\cert.pem"},
{keyfile,"C:\\rabbitcerts\\server\\key.pem"},
{depth, 2},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
运行此命令:
c:\ rabbitcerts> openssl s_client -connect localhost:5671 -cert client / cert.pem -key client / key.pem -CAfile testca / cacert.pem
产生此错误:
Loading 'screen' into random state - done
CONNECTED(000001BC)
write:errno=10054
在日志文件中:
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Memory limit set to 716MB of 1791MB total.
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Disk free limit set to 50MB
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Limiting to approx 8092 file handles (7280 sockets)
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
FHC read buffering: OFF
FHC write buffering: ON
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Priority queues enabled, real BQ is rabbit_variable_queue
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Starting rabbit_node_monitor
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Management plugin: using rates mode 'basic'
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
msg_store_transient: using rabbit_msg_store_ets_index to provide index
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
msg_store_persistent: using rabbit_msg_store_ets_index to provide index
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started SSL Listener on [::]:5671
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started SSL Listener on 0.0.0.0:5671
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Management plugin started. Port: 15672
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics event collector started.
...
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics database started.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_queue_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_queue_stats_deliver_get with interval 5000.
...
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_queue_exchange_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_queue_msg_rates with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_queue_msg_counts with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_coarse_conn_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_queue_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_queue_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_queue_stats_queue_msg_counts with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_queue_msg_counts with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_process_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_exchange_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_exchange_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_exchange_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_node_stats_coarse_node_stats with interval 5000.
...
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table connection_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Server startup complete; 6 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* webmachine
* mochiweb
* rabbitmq_management_agent
* amqp_client
=ERROR REPORT==== 19-Jan-2017::16:54:39 ===
SSL: hello: tls_handshake.erl:202:Fatal error: handshake failure - handshake_decode_error
我遗失了什么?
我已经联系了我的网络管理员,看看服务器上是否有我们可能遗失的配置,answer on SO,但我想听听其他人的意见,因为我确信我不会遇到任何问题...
更新
似乎我越来越接近使用来自@jww的新命令。
openssl s_client -connect mymachine:5671 -tls1 -servername mymachine
输出:
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 /CN=MyTestCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=$(hostname)/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU
CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL
1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP
73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp
N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1
ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz
XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd
cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF
/XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw
QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy
oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ
IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o
-----END CERTIFICATE-----
subject=/CN=$(hostname)/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1659 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 0E00F18E516DBD5C7EE7F7FE070BDC09FBE3B731FA8D1DF2ECD75E455BB8A6EF
Session-ID-ctx:
Master-Key: 61F018A5B629EE6015F88B076AEA8765E153A8CCB2241766DFD0BCC369DC703C9BF42249E47C93EEA318899615732390
Key-Arg : None
Start Time: 1484872012
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
答案 0 :(得分:2)
在这种特殊情况下,一切都设置正确。但是,在RabbitMq控制台中创建对等连接以进行故障排除时,它似乎会在尝试连接到代理时通过不同的协议创建连接。
所以,这不起作用:
openssl s_client -connect localhost:5671 -cert client / cert.pem -key client / key.pem -CAfile testca / cacert.pem
我根据@jww的其他建议将-tls1添加到参数中,这就是我创建安全连接所需的全部内容。
openssl s_client -connect localhost:5671 -tls1 -cert client / cert.pem -key client / key.pem -CAfile testca / cacert.pem
导致Verify code: (ok)。
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 /CN=MyTestCA
verify return:1
depth=0 /CN=$(hostname)/O=server
verify return:1
---
Certificate chain
0 s:/CN=$(hostname)/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU
CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL
1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP
73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp
N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1
ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz
XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd
cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF
/XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw
QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy
oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ
IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o
-----END CERTIFICATE-----
subject=/CN=$(hostname)/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1659 bytes and written 2163 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 56CC3AB350BF91DB4CD2A89F62FD60322E553628C381E11B179BD9C8D22184BF
Session-ID-ctx:
Master-Key: 6FB8A241FD0A5C3ECCBE88DE4C36C412CBE5E8D58DAAB209D24438F72CCA7F9332511A277EBC0919775490057F46CCC7
Key-Arg : None
Start Time: 1484921846
Timeout : 7200 (sec)
Verify return code: 0 (ok)
答案 1 :(得分:0)
最近在设置开发兔时,我遇到了“通过对等重置连接”错误。 要尝试的事情:
我自己在Centos7上安装了RabbitMQ服务器,在Windows上安装了客户端。对于开发环境,我使用tls-gen生成证书。很容易。