有一项任务是使用证书授权配置某些 Web 服务的操作。
有:
二郎22.3.3
兔MQ 3.8.3
描述它们的安装是没有意义的。
接下来做了什么:
1. 根据文章 (https://www.rabbitmq.com/ssl.html ),我们执行以下操作:
git clone https://github.com/michaelklishin/tls-gen tls-gen
cd tls-gen / basic
CN = client PASSWORD = 123 make
make verify
make info
mv testca/ /etc/rabbitmq/
mv server/ /etc/rabbitmq/
mv client/ /etc/rabbitmq/
chown -R rabbitmq: /etc/rabbitmq/testca
chown -R rabbitmq: /etc/rabbitmq/server
chown -R rabbitmq: /etc/rabbitmq/client
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
{ssl_cert_login_from, 'client'},
{ssl_options, [{cacertfile, "/ etc / rabbitmq / testca / cacert.pem"},
{certfile, "/ etc / rabbitmq / server / cert.pem"},
{keyfile, "/ etc / rabbitmq / server / key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true}]}]}}
].
2020-05-18 17: 21: 57.166 +03: 00 [ERR] 无法连接到代理 10.10.11.16,端口 5671,vhost dmz
RabbitMQ.Client.Exceptions.BrokerUnreachableException:指定的端点均不可访问
---> RabbitMQ.Client.Exceptions.PossibleAuthenticationFailureException: 可能是认证失败引起的
---> RabbitMQ.Client.Exceptions.OperationInterruptedException:AMQP 操作被中断:AMQP 关闭原因,由 Library 发起,code = 0,text = 'End of stream',classId = 0,methodId = 0,cause = System .IO.EndOfStreamException:到达流的末尾。可能的身份验证失败。
在 RabbitMQ.Client.Impl.InboundFrame.ReadFrom (流阅读器)
在 RabbitMQ.Client.Impl.SocketFrameHandler.ReadFrame()
在 RabbitMQ.Client.Framing.Impl.Connection.MainLoopIteration()
在 RabbitMQ.Client.Framing.Impl.Connection.MainLoop ()
在 RabbitMQ.Client.Impl.SimpleBlockingRpcContinuation.GetReply(TimeSpan 超时)
在 RabbitMQ.Client.Impl.ModelBase.ConnectionStartOk (IDictionary`2 clientProperties, String 机制, Byte [] response, String locale)
在 RabbitMQ.Client.Framing.Impl.Connection.StartAndTune ()
--- 内部异常堆栈跟踪结束 ---
在 RabbitMQ.Client.Framing.Impl.Connection.StartAndTune ()
在 RabbitMQ.Client.Framing.Impl.Connection.Open ( bool 坚持)
在 RabbitMQ.Client.Framing.Impl.Connection..ctor (IConnectionFactory 工厂, bool 坚持,IFrameHandler frameHandler,字符串 clientProvidedName)
在 RabbitMQ.Client.Framing.Impl.ProtocolBase.CreateConnection(IConnectionFactory 工厂, bool 坚持,IFrameHandler frameHandler,字符串 clientProvidedName)
在 RabbitMQ.Client.ConnectionFactory.CreateConnection (IEndpointResolver endpointResolver, String clientProvidedName)
--- 内部异常堆栈跟踪结束 ---
在 RabbitMQ.Client.ConnectionFactory.CreateConnection (IEndpointResolver endpointResolver, String clientProvidedName)
在 RabbitMQ.Client.ConnectionFactory.CreateConnection(字符串 clientProvidedName)
在 EasyNetQ.ConnectionFactoryWrapper.CreateConnection()
在 EasyNetQ.PersistentConnection.TryToConnect ()
在 rabbitmq 日志中:
2020-05-18 17: 24: 59.880 [info] <0.3442.0> accepting AMQP connection <0.3442.0> (10/10/15/14/1561 -> 10/10/11/166767)
2020-05-18 17: 25: 02.887 [error] <0.3442.0> closing AMQP connection <0.3442.0> (10/10/15/14/1561 -> 10/10/11/1667671):
{handshake_error, starting, 0, {error, function_clause, 'connection.start_ok', [{rabbit_ssl, peer_cert_auth_name, [client, << 48,130,3,42,48,130,2,18,160,3,2,1,2,2 , 1,2,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,48,4,49,49,32,48,30,6,3,85,4,3 12,23,84,76,83,71,101,110,83,101,108,102,83,105,103,110,101,100,116,82,111,111,116,67,65,49,13,48,11,6,3,85,4,7,12,4,36,36,36 , 36.48,30,23,13,50,48,48,53,49,56,49,52,48,49,53,53,90,23,13,51,48,48,53,49 , 54,49,52,48,49,53,53,90,48,34,49,15,48,13,6,3,85,4,3,12,6,99,108,105,101,110,116,49,15,48 , 13,6,3,85,4,10,12,6,99,108,105,101,110,116,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,3,130 1,15,0,48,130,1,10,2,130,1,1,0,183,198,116,156,3,177,131,5,148,11,154,34,99,210,88,115,60,228,180,245,80,212,113,57,181,249,20,5,164,49,72,95,153,116,103,49 , 58,119,15,48,147,107,112,243,105,122,189,44,0,193,114,138,169,250,165,97,188,158,188,95,163,37,30,75,143,21,103,11,131,223,124,96,244,111,210,30,8,175,72,206,162,14,86,63,146,215,179,226,239,48,76,122,150,200,183,82,114,1 73,116,32,224,202,196,129,131,96,34,237,34,144,177,92,200,105,212,0,133,141,118,146,229,140,246,229,137,0,9,27,180,163,233,134,0,187,110,9,126,92,172,105,96,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,1,118,11,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,1,118,11,11,118,11,11,11,11,1,1,1,1,1,1,1,1,1,1,1,1,1,111,1'''1,11,11,1'''1,1''''N''O'', '' 92,181,68,172,135,15,90,152,209,242,31,138,135,34,95,29,162,226,175,253,176,14
更新
新的rabbitmq.config:
[
{rabbit,[
{auth_backends, [rabbit_auth_backend_internal]},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
{ssl_listeners,[5671]},
{ssl_options,[
{versions,['tlsv1.2', 'tlsv1.1']},
{cacertfile, "/etc/rabbitmq/testca/cacert.pem"},
{certfile, "/etc/rabbitmq/server/cert.pem"},
{keyfile, "/etc/rabbitmq/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}
]}
].
新错误:
2020-05-18 18:48:56.681 [info] <0.1410.0> Connection <0.1410.0> (10.10.15.14:52744 -> 10.10.11.16:5671) has a client-provided name: Viber.CallbackService.dll
2020-05-18 18:48:56.682 [error] <0.1410.0> Error on AMQP connection <0.1410.0> (10.10.15.14:52744 -> 10.10.11.16:5671, state: starting):
EXTERNAL login refused: user 'O=client,CN=client' - invalid credentials
最佳答案
您是否启用了 ssl 插件并重新启动了代理?
sudo rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
sudo systemctl restart rabbitmq-server
您也可以尝试在 rabbitmq.conf 中设置以下内容:ssl_cert_login_from = common_name
ssl_options.password = 123
并创建一个名为 client
的用户在代理中匹配您证书中的 CN 名称。
关于ssl - RabbitMQ TLS 身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61884733/