我正在使用Windows Server 2012,Erlang 19.2和RabbitMq 3.6.6。 我在使用TLSconfiguration端点之间的连接时遇到问题。 我已经尝试了所有的答案,以及这里和这里的所有RabbitMq文档。 不知道我们做错了什么。
在此处的故障排除链接中, 除 “尝试与代理的SSL连接”部分外 ,所有testing都通过。 这是问题所在,我不知道为什么。
当我通过故障排除文档查看是否可以在端口8443上通过SSL获得对等连接时,它可以正常工作。 然后试图连接到5671端口的代理失败,说不好握手。
将RabbitMqconfiguration文件切换到8443不做任何事情,除了使对等设备工作在5671上而在8443上失败。
我的configuration文件:
[ {rabbit, [ {ssl_listeners, [5671]}, {ssl_options, [{cacertfile,"C:\\rabbitcerts\\testca\\cacert.pem"}, {certfile,"C:\\rabbitcerts\\server\\cert.pem"}, {keyfile,"C:\\rabbitcerts\\server\\key.pem"}, {depth, 2}, {verify,verify_peer}, {fail_if_no_peer_cert,false}]} ]} ].
运行这个命令:
c:\ rabbitcerts> openssl s_client -connect localhost:5671 -cert client / cert.pem -key client / key.pem -CAfile testca / cacert.pem
产生这个错误:
Loading 'screen' into random state - done CONNECTED(000001BC) write:errno=10054
并在日志文件中:
=INFO REPORT==== 19-Jan-2017::16:42:50 === Memory limit set to 716MB of 1791MB total. =INFO REPORT==== 19-Jan-2017::16:42:50 === Disk free limit set to 50MB =INFO REPORT==== 19-Jan-2017::16:42:50 === Limiting to approx 8092 file handles (7280 sockets) =INFO REPORT==== 19-Jan-2017::16:42:50 === FHC read buffering: OFF FHC write buffering: ON =INFO REPORT==== 19-Jan-2017::16:42:50 === Priority queues enabled, real BQ is rabbit_variable_queue =INFO REPORT==== 19-Jan-2017::16:42:51 === Starting rabbit_node_monitor =INFO REPORT==== 19-Jan-2017::16:42:51 === Management plugin: using rates mode 'basic' =INFO REPORT==== 19-Jan-2017::16:42:51 === msg_store_transient: using rabbit_msg_store_ets_index to provide index =INFO REPORT==== 19-Jan-2017::16:42:51 === msg_store_persistent: using rabbit_msg_store_ets_index to provide index =INFO REPORT==== 19-Jan-2017::16:42:51 === started TCP Listener on [::]:5672 =INFO REPORT==== 19-Jan-2017::16:42:51 === started TCP Listener on 0.0.0.0:5672 =INFO REPORT==== 19-Jan-2017::16:42:51 === started SSL Listener on [::]:5671 =INFO REPORT==== 19-Jan-2017::16:42:51 === started SSL Listener on 0.0.0.0:5671 =INFO REPORT==== 19-Jan-2017::16:42:51 === Management plugin started. Port: 15672 =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics event collector started. ... =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics database started. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_queue_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_queue_stats_deliver_get with interval 5000. ... =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_queue_exchange_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_vhost_stats_deliver_get with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_vhost_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_vhost_stats_queue_msg_rates with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_vhost_stats_queue_msg_counts with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_vhost_stats_coarse_conn_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_queue_stats_deliver_get with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_queue_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_queue_stats_queue_msg_counts with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_stats_deliver_get with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_stats_queue_msg_counts with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_stats_process_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_exchange_stats_deliver_get with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_channel_exchange_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_exchange_stats_fine_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table aggr_node_stats_coarse_node_stats with interval 5000. ... =INFO REPORT==== 19-Jan-2017::16:42:51 === Statistics garbage collector started for table connection_stats with interval 5000. =INFO REPORT==== 19-Jan-2017::16:42:51 === Server startup complete; 6 plugins started. * rabbitmq_management * rabbitmq_web_dispatch * webmachine * mochiweb * rabbitmq_management_agent * amqp_client =ERROR REPORT==== 19-Jan-2017::16:54:39 === SSL: hello: tls_handshake.erl:202:Fatal error: handshake failure - handshake_decode_error
我错过了什么?
我已经联系到我的networkingpipe理员,看看服务器上是否有configuration,我们可能会失踪,根据这个答案 ,但我想听取其他人,因为我相信我不能是唯一遇到任何问题的人
UPDATE
看来我正在越来越接近使用来自@jww的新命令。
openssl s_client -connect mymachine:5671 -tls1 -servername mymachine
输出:
Loading 'screen' into random state - done CONNECTED(000001BC) depth=1 /CN=MyTestCA verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=$(hostname)/O=server i:/CN=MyTestCA 1 s:/CN=MyTestCA i:/CN=MyTestCA --- Server certificate -----BEGIN CERTIFICATE----- MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL 1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP 73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1 ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF /XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o -----END CERTIFICATE----- subject=/CN=$(hostname)/O=server issuer=/CN=MyTestCA --- Acceptable client certificate CA names /CN=MyTestCA --- SSL handshake has read 1659 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0E00F18E516DBD5C7EE7F7FE070BDC09FBE3B731FA8D1DF2ECD75E455BB8A6EF Session-ID-ctx: Master-Key: 61F018A5B629EE6015F88B076AEA8765E153A8CCB2241766DFD0BCC369DC703C9BF42249E47C93EEA318899615732390 Key-Arg : None Start Time: 1484872012 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- closed
在这个特殊的情况下,一切正常。 但是,在RabbitMq控制台中创建对等连接进行故障诊断时,似乎在尝试连接到代理时通过不同的协议创建连接。
所以,这不起作用:
openssl s_client -connect localhost:5671 -cert client / cert.pem -key client / key.pem -CAfile testca / cacert.pem
我在参数中添加了-tls1 ,per @ jww的其他建议,这就是我创建安全连接所需要的。
openssl s_client -connect localhost:5671 -tls1 -cert client / cert.pem -key client / key.pem -CAfile testca / cacert.pem
产生一个Verify code: (ok) 。
Loading 'screen' into random state - done CONNECTED(000001BC) depth=1 /CN=MyTestCA verify return:1 depth=0 /CN=$(hostname)/O=server verify return:1 --- Certificate chain 0 s:/CN=$(hostname)/O=server i:/CN=MyTestCA 1 s:/CN=MyTestCA i:/CN=MyTestCA --- server certificate -----BEGIN CERTIFICATE----- MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL 1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP 73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1 ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF /XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o -----END CERTIFICATE----- subject=/CN=$(hostname)/O=server issuer=/CN=MyTestCA --- Acceptable client certificate CA names /CN=MyTestCA --- SSL handshake has read 1659 bytes and written 2163 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 56CC3AB350BF91DB4CD2A89F62FD60322E553628C381E11B179BD9C8D22184BF Session-ID-ctx: Master-Key: 6FB8A241FD0A5C3ECCBE88DE4C36C412CBE5E8D58DAAB209D24438F72CCA7F9332511A277EBC0919775490057F46CCC7 Key-Arg : None Start Time: 1484921846 Timeout : 7200 (sec) Verify return code: 0 (ok)
最近设置开发兔子的时候有“连接重置”的错误。 事情要尝试:
我自己在Centos7上安装了RabbitMQ服务器,在Windows上安装了客户端。 对于开发环境,我使用tls-gen来生成证书。 很容易。