SSL upgrade error cacrtfile

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL upgrade error cacrtfile

Narayan
I'm trying to get SSL working on my Rabbit server, following the instructions at https://www.rabbitmq.com/ssl.html , but am getting this error when making connections:
started SSL Listener on [::]:5671
error on AMQP connection <0.678.0>: {ssl_upgrade_error,{options,{cacertfile,[47,11... 
in broker log file.

I'm following the SSL troubleshooting guide http://www.rabbitmq.com/troubleshooting-ssl.html

* Check SSL support in Erlang               ----- SUCCESS
ssl:versions().
SSL version: [{ssl_app,"5.3"},
 {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
RabbitMQ 3.3.0, Erlang R16B01

* Check keys and certificates with OpenSSL       ------ SUCCESS
    openssl client output is listed below 
    openssl s_client -connect localhost:8443 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = primedev, O = server
verify return:1
---
Certificate chain
 0 s:/CN=primedev/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNDA1MjgwNjU2NDNaFw0xNTA1MjgwNjU2NDNaMCQxETAPBgNVBAMM
CHByaW1lZGV2MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC9IW8zoWmE8tUr46rc+QWrPYBlpHefUZ7HP1smlrN9rujrZM7l
ja7w+M7rHJSt0bTQ+dFfu1RTmWHkdgI4YIdgGvmhU3Bcij5Cyxn+vtZUaIAeYGfQ
QfPj6WsNiHOem/ieAkbhX+AvPDD7DBjlrqbo9ZtzeJxkhe/ENWHRlpdPNNpHpvbw
2azTPO55Nb2sDbeUOP0Bv1OieXM3r7CNruFF+KTAzxdC18kUM0Ty4jmwG3L1DFlF
zpm77ByB5DjFdNs+tBZ+1Fi1WrHp2NsSJe0IsCdCF9BG3RacpQv5tt/5/qL/af4G
xDyqebE/G9RwbM6Mnti3wGY34EGMtGFao/vDAgMBAAGjLzAtMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
A4IBAQAL4TTARGRyGq/EMtbfkrQbInMoIPaV+VT8X6EKCvBrhjQZZ1bGHBYEBhry
EHQAJ1eiRPPLpVe4zpIP6xU8tiN/sIm4XOyj7hstSTThnixjNgZRmwUt/blMKA0p
PsFEKnAf2brwryO4KJcKbfjLCJfyWje8nXLR9dz/qrJ8+Vwve76lMnAoRqjDw1OF
z08evHevN3Mdb3Hyvd9WFRNMpQkjrmfx+v5dcXcbSOlpwtHIHMmX3Pq7QgXQdyo/
vNmGBYqyLofBwtKMOYbfhoksyJbCOeDCG5fYMUnSI1EqivjLPQX/0Dt2s0UzWOip
G2FWCQGgOKfLHWIawGNQcSpM83x4
-----END CERTIFICATE-----
subject=/CN=primedev/O=server
issuer=/CN=MyTestCA
---
No client certificate CA names sent
---
SSL handshake has read 2176 bytes and written 247 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 
81472A55C8EC471863BFC884C40322AC1A5C5FA00C8D845E71A98E122D60185E
    Session-ID-ctx:
    Master-Key: 
BB3BBA13077D4152455620760258906F1CF576966656D4417C3F80B1F7C1B357DCEBA4434363
879177A7AF55332FBC7A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 96 aa 8f 94 70 9c 42 0c-1b 44 62 f9 8c a8 42 5d   
....p.B..Db...B]
    0010 - fb 24 c2 7a 38 4e 69 e5-89 3d 71 ba 8f 59 2a 1a   
.$.z8Ni..=q..Y*.
    0020 - a0 9d e2 cc a8 fb 3d 71-b5 b3 d6 01 17 d9 22 b9   
......=q......".
    0030 - 6a 6b 73 59 1b 07 b7 84-23 b2 c7 08 4d 7f 88 2a   
jksY....#...M..*
    0040 - 6b 75 e5 3c 25 ca 26 da-77 b8 64 ce 72 15 30 da   ku.
<%.&.w.d.r.0.
    0050 - 5b 11 98 0a 25 dc 96 a3-77 bf b8 a0 e1 38 4e 22   
[...%...w....8N"
    0060 - 19 78 bc 5b 89 5b 3c f1-d5 17 e8 4f 57 0f 15 dc   .x.[.
[<....OW...
    0070 - 97 09 d8 7c 64 ce 68 e1-3f 18 95 23 3f 80 6a c7   
...|d.h.?..#?.j.
    0080 - 63 72 53 20 96 34 51 09-d3 28 8d 8c 73 03 31 a0   crS .4Q..
(..s.1.
    0090 - d0 73 3f 6a 19 25 11 10-5f d3 02 d5 92 75 ec f0   .s?
j.%.._....u..

    Compression: 1 (zlib compression)
    Start Time: 1401261748
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

* Check broker is listening            ------ SUCCESS
started SSL Listener on [::]:5671

* Attempt SSL connection to broker          ------ FAILED

=INFO REPORT==== ===
accepting AMQP connection <0.223.0> (.... -> 127.0.0.1:5671)

After this got same error 
error on AMQP connection <0.678.0>: {ssl_upgrade_error,{options,{cacertfile,[47,11... 

Here is what openssl s_client is showing when trying to connect with rmq ssl port

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Please help me out to establish a SSL rabbit mq connection. Thanks in advance.

--
Thanks & Regards
Narayan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Michael Klishin-2
 On 4 June 2014 at 12:00:48, Narayan ([hidden email]) wrote:
> > * Check SSL support in Erlang ----- SUCCESS
> ssl:versions().
> SSL version: [{ssl_app,"5.3"},
> {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
> {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
> RabbitMQ 3.3.0, Erlang R16B01

What client do you use? Do you configure SSL to any specific version?
What OS does your client and RabbitMQ run on?
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Michael Klishin-2
Narayan,

please keep rabbitmq-discuss in CC. 

On 4 June 2014 at 16:08:14, Narayan Reddy ([hidden email]) wrote:
> > What client do you use?
> I needs to use the cpp client,

Which one? Can you link to it?

> but the ssl connection is not happening  
> even with openssl util (in s_client mode)



> Openssl client output:
>  
> $ openssl s_client -connect localhost:5671 -cert client/cert.pem  
> -key client/key.pem -CAfile testca/cacert.pem
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 113 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT su

This suggests the client and the server cannot agree on a shared cipher suite
to use.

What do

 * openssl version
 * openssl ciphers -v

output for you?
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
Hi Michael,
           Thanks for the reply, Ignore the duplicate mail sorry for that.
           First I want to check with openssl util, if it works fine then i can go to cpp client.
           
 
This suggests the client and the server cannot agree on a shared cipher suite
to use.

What do

 * openssl version
 * openssl ciphers -v

output for you?


# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010


# openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
KRB5-DES-CBC-SHA        SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(56)   Mac=SHA1
KRB5-DES-CBC-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-KRB5-RC2-CBC-SHA    SSLv3 Kx=KRB5     Au=KRB5 Enc=RC2(40)   Mac=SHA1 export
EXP-KRB5-DES-CBC-SHA    SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(40)   Mac=SHA1 export
EXP-KRB5-RC2-CBC-MD5    SSLv3 Kx=KRB5     Au=KRB5 Enc=RC2(40)   Mac=MD5  export
EXP-KRB5-DES-CBC-MD5    SSLv3 Kx=KRB5     Au=KRB5 Enc=DES(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-KRB5-RC4-SHA        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)   Mac=SHA1 export
EXP-KRB5-RC4-MD5        SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(40)   Mac=MD5  export



On 4 June 2014 17:43, Michael Klishin <[hidden email]> wrote:
Narayan,

please keep rabbitmq-discuss in CC. 

On 4 June 2014 at 16:08:14, Narayan Reddy ([hidden email]) wrote:
> > What client do you use?
> I needs to use the cpp client,

Which one? Can you link to it?

> but the ssl connection is not happening
> even with openssl util (in s_client mode)



> Openssl client output:
>
> $ openssl s_client -connect localhost:5671 -cert client/cert.pem
> -key client/key.pem -CAfile testca/cacert.pem
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 113 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT su

This suggests the client and the server cannot agree on a shared cipher suite
to use.

What do

 * openssl version
 * openssl ciphers -v

output for you?
--
MK

Software Engineer, Pivotal/RabbitMQ


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Michael Klishin-2
On 4 June 2014 at 16:56:11, Narayan Reddy ([hidden email]) wrote:
> > # openssl ciphers -v

OK, great. What about

io:format("~p~n", [ssl:cipher_suites()]).

from the Erlang shell? (`erl`)
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
# erl
Erlang R16B (erts-5.10.1) [source] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false]

Eshell V5.10.1  (abort with ^G)
1> io:format("~p~n", [ssl:cipher_suites()]).
[{dhe_rsa,aes_256_cbc,sha256},
 {dhe_dss,aes_256_cbc,sha256},
 {rsa,aes_256_cbc,sha256},
 {dhe_rsa,aes_128_cbc,sha256},
 {dhe_dss,aes_128_cbc,sha256},
 {rsa,aes_128_cbc,sha256},
 {dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha},
 {dhe_rsa,'3des_ede_cbc',sha},
 {dhe_dss,'3des_ede_cbc',sha},
 {rsa,'3des_ede_cbc',sha},
 {dhe_rsa,aes_128_cbc,sha},
 {dhe_dss,aes_128_cbc,sha},
 {rsa,aes_128_cbc,sha},
 {rsa,rc4_128,sha},
 {rsa,rc4_128,md5},
 {dhe_rsa,des_cbc,sha},
 {rsa,des_cbc,sha}]
ok
2>




On 4 June 2014 18:35, Michael Klishin <[hidden email]> wrote:
On 4 June 2014 at 16:56:11, Narayan Reddy ([hidden email]) wrote:
> > # openssl ciphers -v

OK, great. What about

io:format("~p~n", [ssl:cipher_suites()]).

from the Erlang shell? (`erl`)
--
MK  

Software Engineer, Pivotal/RabbitMQ


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
Hi Michael, 
            Any other information needed ? Any thing should i change and check ? Please help me to resolve this issue .

--
Thanks & Regards
Narayan


On 4 June 2014 19:14, Narayan Reddy <[hidden email]> wrote:
# erl
Erlang R16B (erts-5.10.1) [source] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false]

Eshell V5.10.1  (abort with ^G)
1> io:format("~p~n", [ssl:cipher_suites()]).
[{dhe_rsa,aes_256_cbc,sha256},
 {dhe_dss,aes_256_cbc,sha256},
 {rsa,aes_256_cbc,sha256},
 {dhe_rsa,aes_128_cbc,sha256},
 {dhe_dss,aes_128_cbc,sha256},
 {rsa,aes_128_cbc,sha256},
 {dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha},
 {dhe_rsa,'3des_ede_cbc',sha},
 {dhe_dss,'3des_ede_cbc',sha},
 {rsa,'3des_ede_cbc',sha},
 {dhe_rsa,aes_128_cbc,sha},
 {dhe_dss,aes_128_cbc,sha},
 {rsa,aes_128_cbc,sha},
 {rsa,rc4_128,sha},
 {rsa,rc4_128,md5},
 {dhe_rsa,des_cbc,sha},
 {rsa,des_cbc,sha}]
ok
2>




On 4 June 2014 18:35, Michael Klishin <[hidden email]> wrote:
On 4 June 2014 at 16:56:11, Narayan Reddy ([hidden email]) wrote:
> > # openssl ciphers -v

OK, great. What about

io:format("~p~n", [ssl:cipher_suites()]).

from the Erlang shell? (`erl`)
--
MK  

Software Engineer, Pivotal/RabbitMQ



_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Michael Klishin-2
On 5 June 2014 at 12:03:16, Narayan Reddy ([hidden email]) wrote:
> > Any other information needed ? Any thing should i change and  
> check ? Please help me to resolve this issue .

I suspected that client and server may not have a shared cipher suite to use
but then it would be clear from the error message.

I now suspect that the client you use simply does not support SSL or do
it correctly. Please contain the author (and specify what client that is here).

You can also try with {fail_if_no_peer_cert,false},
or even no peer verification (if that's acceptable in your environment).

Because Erlang's SSL support does not use OpenSSL, it may be worth trying using
a more recent OTP release (R16B03 or R17). 
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Matthias Radestock-3
In reply to this post by Narayan
On 05/06/14 09:02, Narayan Reddy wrote:
>              Any other information needed ? Any thing should i change
> and check ? Please help me to resolve this issue .

Try the latest 3.3.2 release, which improves SSL error reporting at the
server end.

Matthias.
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
Thanks Matthias , will check with RMQ 3.3.2 and get back to you.

@Michael checked with erlang R17 version & no peer verification both cases it showed previous error itself (ssl_upgrade_error , cacertfile....)


On 10 June 2014 11:39, Matthias Radestock <[hidden email]> wrote:
On 05/06/14 09:02, Narayan Reddy wrote:
             Any other information needed ? Any thing should i change
and check ? Please help me to resolve this issue .

Try the latest 3.3.2 release, which improves SSL error reporting at the server end.

Matthias.


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
I checked with RMQ 3.3.2 , This is the error displayed in broker.log file.


=INFO REPORT==== 10-Jun-2014::14:02:14 ===
accepting AMQP connection <0.323.0> (127.0.0.1:38626 -> 127.0.0.1:5671)

=ERROR REPORT==== 10-Jun-2014::14:02:19 ===
error on AMQP connection <0.323.0>:
{ssl_upgrade_error,
    {options,{cacertfile,"/home/prime/SSL/testca/cacert.pem",{error,eacces}}}}

In which cases it can throw the error eaccess ?,  Please help me to resolve this issue.

Thanks






On 10 June 2014 12:58, Narayan Reddy <[hidden email]> wrote:
Thanks Matthias , will check with RMQ 3.3.2 and get back to you.

@Michael checked with erlang R17 version & no peer verification both cases it showed previous error itself (ssl_upgrade_error , cacertfile....)


On 10 June 2014 11:39, Matthias Radestock <[hidden email]> wrote:
On 05/06/14 09:02, Narayan Reddy wrote:
             Any other information needed ? Any thing should i change
and check ? Please help me to resolve this issue .

Try the latest 3.3.2 release, which improves SSL error reporting at the server end.

Matthias.



_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Michael Klishin-2
 On 10 June 2014 at 12:42:15, Narayan Reddy ([hidden email]) wrote:
> > {ssl_upgrade_error,
> {options,{cacertfile,"/home/prime/SSL/testca/cacert.pem",{error,eacces}}}}  
>  
>  
> In which cases it can throw the error eaccess ?, Please help me  
> to resolve this issue.

File permission error of a kind. Make sure the file can be read by
the active RabbitMQ process user.
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
Checked the permissions for the files, all permissions set to 777 for ssl files. and change the owner of the files to active RMQ process user. still facing the same error  > {options,{cacertfile,"/home/prime/SSL/testca/cacert.pem",{error,eacces}}}}
-rwxrwxrwx 1 rabbitmq rabbitmq 1751 May 26 18:19 ca.key
drwxrwxrwx 2 rabbitmq rabbitmq 4096 May 28 12:31 client
drwxrwxrwx 2 rabbitmq rabbitmq 4096 May 28 12:27 server
drwxrwxrwx 4 rabbitmq rabbitmq 4096 May 28 12:30 testca
[root@primedev SSL]# cd server/
[root@primedev server]# ll
total 16
-rwxrwxrwx 1 rabbitmq rabbitmq 1058 May 28 12:26 cert.pem
-rwxrwxrwx 1 rabbitmq rabbitmq 2341 May 28 12:27 keycert.p12
-rwxrwxrwx 1 rabbitmq rabbitmq 1675 May 28 12:24 key.pem
-rwxrwxrwx 1 rabbitmq rabbitmq  911 May 28 12:25 req.pem


--
Thanks


On 10 June 2014 14:13, Michael Klishin <[hidden email]> wrote:
 On 10 June 2014 at 12:42:15, Narayan Reddy ([hidden email]) wrote:
> > {ssl_upgrade_error,
> {options,{cacertfile,"/home/prime/SSL/testca/cacert.pem",{error,eacces}}}}
>
>
> In which cases it can throw the error eaccess ?, Please help me
> to resolve this issue.

File permission error of a kind. Make sure the file can be read by
the active RabbitMQ process user.
--
MK

Software Engineer, Pivotal/RabbitMQ


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Simon MacMullen-2
On 11/06/14 08:15, Narayan Reddy wrote:
> Checked the permissions for the files, all permissions set to 777 for
> ssl files. and change the owner of the files to active RMQ process user.
> still facing the same error >
> {options,{cacertfile,"/home/prime/SSL/testca/cacert.pem",{error,eacces}}}}

That "eaccess" really is telling you that the file cannot be read. Just
because the permissions on the files are open doesn't mean the file can
be read; intermediate directories must be readable too.

I strongly recommend you become the rabbitmq user (with e.g. "sudo -s -u
rabbitmq") and try to read the files. This should let you diagnose any
problems.

Cheers, Simon

--
Simon MacMullen
RabbitMQ, Pivotal
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: SSL upgrade error cacrtfile

Narayan
Thanks Simon, Michael, Matthias & RMQ team.

sudo -s -u rabbitmq
bash-4.1$
bash-4.1$
bash-4.1$ cat /home/prime/SSL/testca/cert.pem
cat: /home/prime/SSL/testca/cert.pem: Permission denied
bash-4.1$

Yes the error was due to permissions only, will correct it , Tried with windows RMQ server it worked fine .. Thanks for the support RMQ team.



On 11 June 2014 15:08, Simon MacMullen <[hidden email]> wrote:
On 11/06/14 08:15, Narayan Reddy wrote:
Checked the permissions for the files, all permissions set to 777 for
ssl files. and change the owner of the files to active RMQ process user.
still facing the same error >
{options,{cacertfile,"/home/prime/SSL/testca/cacert.pem",{error,eacces}}}}

That "eaccess" really is telling you that the file cannot be read. Just because the permissions on the files are open doesn't mean the file can be read; intermediate directories must be readable too.

I strongly recommend you become the rabbitmq user (with e.g. "sudo -s -u rabbitmq") and try to read the files. This should let you diagnose any problems.

Cheers, Simon

--
Simon MacMullen
RabbitMQ, Pivotal


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss