Error TLS MQTT (Rabbitmq)

[ruem2802]

Hi, i have a issuae, a config rabbitmq with /etc/rabbitmq/rabbit.conf and a add plugin mqtt,
In rabbitmq.conf i config:

default TLS-enabled port for MQTT connections

mqtt.listeners.tcp.1 = 8883
mqtt.listeners.tcp.default = 1883

ssl_options.cacertfile = /etc/rabbitmq/tls-gen/basic/result/ca_certificate.pem
ssl_options.certfile = /etc/rabbitmq/tls-gen/basic/result/server_certificate>
ssl_options.keyfile = /etc/rabbitmq/tls-gen/basic/result/server_key.pem

ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

i want to use tls mqtt in port 8883
But in client i use MQTTBox and MQTTfx, i cant connect to server MQTT (Rabbitmq - port 8883)
Can U help me about that!
In my server i add : ca_certificate.pem, client_certificate.pem and client_key.pem
Thank!

[michaelklishin]

I will convert this issue to a GitHub discussion. Currently GitHub will automatically close and lock the issue even though your question will be transferred and responded to elsewhere. This is to let you know that we do not intend to ignore this but this is how the current GitHub conversion mechanism makes it seem for the users :(

[michaelklishin]

Our team must have a certain amount of information to work with in order to help you.

Getting all the details necessary to reproduce an issue, make a conclusion or even form a hypothesis about what's happening can take a fair amount of time. Our team is multiple orders of magnitude smaller than the RabbitMQ community. Please help others help you by providing a way to reproduce the behavior you're
observing and sharing as much relevant information as possible:

• Server, client library and plugin (if applicable) versions used
• Server logs
• A code example or terminal transcript that can be used to reproduce
• Full exception stack traces (not a single line message)
• rabbitmqctl status (and, if possible, rabbitmqctl environment output)
• Other relevant things about the environment and workload, e.g. OS/systemd logs, a traffic capture, deployment tool logs, etc

Feel free to edit out hostnames and other potentially sensitive information.

When/if we have a complete enough understanding of what's going on, a recommendation will be provided or a new issues with more context will be filed.

[michaelklishin]

Besides inspecting effective configuration,
are you certain you can/want to use these two

ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

with your clients? If they don't provide a certificate, they won't be able to connect by definition. This TLS guide section explains what TLS peer verification is and what it means for both servers and clients.

[ruem2802]

With sefl signed certificate i must config: ssl_options.verify = verify_none ssl_options.fail_if_no_peer_cert = false is that true? Vào Th 5, 16 thg 9, 2021 vào lúc 17:26 Michael Klishin < ***@***.***> đã viết:

…

Besides inspecting effective configuration <https://www.rabbitmq.com/configure.html#verify-configuration-effective-configuration> , are you certain you can/want to use these two ssl_options.verify = verify_peerssl_options.fail_if_no_peer_cert = true with your clients? If they don't provide a certificate, they won't be able to connect by definition. This TLS guide section <https://www.rabbitmq.com/ssl.html#peer-verification> explains what TLS peer verification is and what it means for both servers and clients. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3434 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APUY52Y3X6EW6LGG4TVADA3UCHA4ZANCNFSM5EENMDSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[ruem2802]

i fix my config file and this is my config now:

mqtt.listeners.ssl.default = 8883
mqtt.listeners.tcp.default = 1883

ssl_options.cacertfile = /etc/rabbitmq/testca/ca_certificate.pem
ssl_options.certfile = /etc/rabbitmq/server/server_certificate.pem
ssl_options.keyfile = /etc/rabbitmq/server/private_key.pem

ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false

In client i use: MQTTFx , and i add ca_certificate.pem, client_certificate.pem and client_key.pem
But it 's not working

My error:!!!!!

Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:1.8.0_181]
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:108) ~[org.eclipse.paho.client.mqttv3-1.2.0.jar:?]
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:701) ~[org.eclipse.paho.client.mqttv3-1.2.0.jar:?]
... 7 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:1.8.0_181]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:1.8.0_181]
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:108) ~[org.eclipse.paho.client.mqttv3-1.2.0.jar:?]
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:701) ~[org.eclipse.paho.client.mqttv3-1.2.0.jar:?]
... 7 more
2021-09-16 17:50:30,258 INFO --- ScriptsController : Clear console.
2021-09-16 17:50:30,259 ERROR --- BrokerConnectService : MqttException