rabbitmq / tls-gen Goto Github PK

Hi ,

I have to generate trust chain of certificate with rootCA, intermediate CA and leaf certificates.
With the two_shared_intermediates and separate_intermediates code, i am able to generate root CA and leaf certificate, where i am not able to find the intermediate certificate to form trust chain of certificate.
root certificate (ok)
intermediate certificate (not available)
leaf certificate generated by intermediate certificate (ok)

Any help on this is really appreciable.

https://www.openssl.org/docs/manmaster/man1/openssl-crl.html

It might be nice to document or automate the creation of a CRL for testing that functionality.

Hi, how I can generate the certificate files with RSA encryption?

Steps to reproduce:

1. use tls-gen to generate a server certificate for server alpha on alpha.
2. use tls-gen to generate another server certificate for server beta on beta.
3. You should now have two server alpha and beta running with self signed certs
4. using something like FF to connect to your endpoint on alpha. Assuming a self-signed cert install the ca expection.
5. Connection to alpha is successful
6. Repeat step 4,5. Attempting to connect to beta results in the same issuer/serial as an existing cert

Per RFC https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2
Serial numbers with an issuer must be unique, and there no more then 20 bytes(octets) thus between range between one and n^(20*8)

Workaround:
Remove the exception for alpha and reinstall exception for beta.

Error message details:
An error occurred during a connection to beta. You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

[root@9dfe45c9f207 result]# openssl x509 -text -noout -in server_alpha_certificate.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$

As we don't yet support multiple client certificate generations fully. I think the best current plan would be to randomize the serial number upon generation. Hopefully we avoid any collisions that way.

I would like to know how I generate a certificate that accepts the hostname 127.0.0.1 when connecting through this IP with the basic type certificates I get the error

hostname/ip does not match certificate's altnames 127.0.01

Hello ,
Is there a way to include SAN IP address in the generated certificates

I am trying to generate a certificate using the: make CN=127.0.0.1 command. It works fine with the localhost.

However, I also need to have a certificate in my docker-compose network (which has several domains like: one.node.com, two.node.com, etc)

I am trying to make the certificate pairs valid on all of them, however, nothing seems to work for me. E.g. I was trying to do:
make CN="one.node.com, two.node.com" and make CN="*.node.com", however in all cases it was not possible to use certificates, as hostname check failed in all cases :(.

Hi,

I generated a CA and uses it to produce two certificate/key pairs using tls-gen. Then tested generated certificates using openssl tools given @https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools.

I could see s_server and s_client connection is fine. Verify return code: 0 (ok)

I imported these 3 certificates to 'Personal' and 'Trusted Root Certification Authorities' sections.

Then I tried connecting to my TLS enabled RabittMQ server from an Angular client. I used https://github.com/stomp-js/ng2-stompjs-angular7 with wss://127.0.0.1:15673/ws.

ng serve --ssl true --ssl-cert D:\sprint43\tls-gen-master\result\client_certificate.pem --ssl-key D:\sprint43\tls-gen-master\result\client_key.pem

I am getting certificate invalid error. When open and check the certificate I could see "This certificate is ok'.

In firefox I am getting a different error.

An error occurred during a connection to localhost:4200. Certificate type not approved for application. Error code: SEC_ERROR_INADEQUATE_CERT_TYPE

Environment:

• Windows 10 Machine
• RabbitMQ: 3.7.14
• Erlang: 21.3
• Angular 7

Regards
Basanth

We have done this (switch to a more modern and hopefully non-offensive branch name) in almost all smaller RabbitMQ-related projects. Should we branch main off of master, make it the default branch and continue there? I doubt anyone
checks out master specifically but we can delay its removal by a few months (at the risk of some confusion).

This can be done after all PRs under active development are merged.

@lukebakken

Describe the bug

While running the below command I got below error!

Context

make CN=rabbitmq-broker
make alias-leaf-artifacts

Error

Write out database with 1 new entries
Database updated
=> ['openssl', 'pkcs12', '-export', '-out', '/tmp/tls-gen/basic/client_rabbitmq-broker/keycert.p12', '-in', '/tmp/tls-gen/basic/client_rabbitmq-broker/cert.pem', '-inkey', '/tmp/tls-gen/basic/client_rabbitmq-broker/key.pem', '-certfile', '/tmp/tls-gen/basic/testca/cacert.pem', '-passout', 'pass:'] {}
Done! Find generated certificates and private keys under ./result!
python3 profile.py verify --common-name 'rabbitmq-broker'
Will verify generated certificates against the CA...
Will verify client_rabbitmq-broker certificate against root CA
/tmp/tls-gen/basic/result/client_rabbitmq-broker_certificate.pem: OK
Will verify server_rabbitmq-broker certificate against root CA
/tmp/tls-gen/basic/result/server_rabbitmq-broker_certificate.pem: OK
python3 profile.py alias-leaf-artifacts --common-name 'rabbitmq'
Will copy certificate and key for client_rabbitmq to /tmp/tls-gen/basic/result/client_*.pem
Will copy certificate and key for server_rabbitmq to /tmp/tls-gen/basic/result/server_*.pem
Traceback (most recent call last):
  File "/tmp/tls-gen/basic/profile.py", line 133, in <module>
    cli.run(commands)
  File "/tmp/tls-gen/tls_gen/cli.py", line 76, in run
    dispatch_command(commands, parser, args, options)
  File "/tmp/tls-gen/tls_gen/cli.py", line 46, in dispatch_command
    fn(options)
  File "/tmp/tls-gen/basic/profile.py", line 108, in alias_leaf_artifacts
    g.alias_file("client", client_name)
  File "/tmp/tls-gen/tls_gen/gen.py", line 71, in alias_file
    p.copy_tuple_path((p.result_dir_name, "{}_certificate.pem".format(peer)),
  File "/tmp/tls-gen/tls_gen/paths.py", line 27, in copy_tuple_path
    shutil.copy(relative_path(*from_tuple), relative_path(*to_tuple))
  File "/usr/local/lib/python3.11/shutil.py", line 419, in copy
    copyfile(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/local/lib/python3.11/shutil.py", line 256, in copyfile
    with open(src, 'rb') as fsrc:
         ^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tls-gen/basic/result/client_rabbitmq_certificate.pem'
make: *** [../common.mk:96: alias-leaf-artifacts] Error 1

Reproduction steps

1. docker run -it python:3.11.5-alpine ash

2. Execute this script or copy-paste each step :)

   #!/usr/bin/env sh
   
   apk upgrade && apk add \
       git \
       make \
       openssl
   
   git clone https://github.com/rabbitmq/tls-gen.git /tmp/tls-gen
   cd /tmp/tls-gen/basic
   
   make CN=rabbitmq-broker
   make alias-leaf-artifacts
   ``
   
   

Expected behavior

Certificate should be generated with CN name specified in make command.

Additional context

No response

Steps to reproduce:

1. Clone the repository
2. cd tls-gen/basic
3. Run command from readme: make PASSWORD=bunnies DAYS_OF_VALIDITY=-7

Result:

$ make PASSWORD=bunnies DAYS_OF_VALIDITY=-7
python3 profile.py regenerate --password "bunnies" \
--common-name laptop \
--client-alt-name laptop \
--server-alt-name laptop \
--days-of-validity -7 \
--key-bits 2048 
Removing /home/joseliber/tls-gen/basic/testca
Removing /home/joseliber/tls-gen/basic/result
Removing /home/joseliber/tls-gen/basic/server
Removing /home/joseliber/tls-gen/basic/client
Will generate a root CA and two certificate/key pairs (server and client)
=>	[openssl_req]
req: Non-positive number "-7" for -days
req: Use -help for summary.
=>	[openssl_x509]
Can't open /home/joseliber/tls-gen/basic/testca/cacert.pem for reading, No such file or directory
...snip...

Followed by a bunch of related errors.

Hi,

I am trying o generate certificates in Windows 10 using MYSYS2.
I am getting error,

ic002275@md1uu1ec MSYS /d/tls-gen-master/basic
#make PASSWORD=bunnies

Makefile:1: *** missing separator.  Stop.

How to solve this missing separator in Windows 10?

Regards
Basanth

Hi @michaelklishin , I've found your application via RabbiMQ TLS docs.

I'm using the basic profile to generate server/client certs with passwords. While testing the RMQ configuration, I purposefully left the key password option commented so I could find out the behavior/error messages from RMQ server when a user forgets to set that option correctly.
To my surprise, the server worked correctly and clients could connect via TLS without issues or error messages.

I searched the web for instructions on how to check passwords on openssl certificate keys, and found link1, link2.

I've tried the openssl tests and the certificate key was always displayed in stdout, even when supplying a wrong password.

Could you please provide some clarifications on whether I'm doing this wrong or maybe tls-gen is missing something to set passwords on the basic profile?

Regards,
José.

Hello.
I'm using vagrant for my local development where I use rabbitmq and for that try to create certificates using your product.
When I used ubuntu 16.04 as my vagrant box everything work well, I could create certificates and they are worked well(OpenSSL 1.0.2g 1 Mar 2016), after I moved my vagrant to ubuntu 18.04 (OpenSSL 1.1.0g 2 Nov 2017) I could create certificates in the same way but they are didn't work.
I tried use certificates created with in my ubuntu 16.04 system with OpenSSL 1.0.2g 1 Mar 2016 in my ubuntu 18.04 and everything works well, but certificates created in the same way with OpenSSL 1.1.0g 2 Nov 2017 broken it.
Why it can be?

There aren't too many examples of how to do that on the Web at the moment, could be a good way to address a real pain point.

With the latest changes in master there is now an issue creating openssl certs because of changes in the openss.cnf file.

running: cd basic && make

errors:
Error Loading extension section client_extensions
...
Error Loading extension section server_extensions

I believe it is the 2 lines containing @crlDistributionPoints = URI:CRL@ under server_extensions and client_extensions sections.

This seems to have been introduced in #19

Steps to reproduce:

cd basic
make USE_ECC=true

# in terminal 1
openssl s_server -cert ./server/cert.pem -key ./server/key.pem -CAfile ./testca/cacert.pem

# in terminal 2
openssl s_client -cert ./client/cert.pem -key ./client/key.pem -CAfile ./testca/cacert.pem

Error output:

ACCEPT                                                                                                                                  │    Start Time: 1508449149
ERROR                                                                                                                                   │    Timeout   : 7200 (sec)
139822582923200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1404:               │    Verify return code: 0 (ok)
shutting down SSL                                                                                                                       │    Extended master secret: no
CONNECTION CLOSED

If you generate "regular" certs with make the above s_server and s_client commands work fine. I'll continue investigating.

$ openssl version
OpenSSL 1.1.0f  25 May 2017

Hello, I am trying to use your product to generate files coming from the RabbitMQ tls documentation. I cloned the repository and am now trying to run the "make PASSWORD=bunnies", however I get the error "missing seperator. Stop". It's a common error that gets thrown when using spaces instead of tabs, however I can't figure out why I get this error on your product, since I changed nothing to the makefile. I even removed and recloned the repository, but I'm still getting the same error.

Hi,

I wanted to connect to RabbitMQ server from an Angular application running in my iPad.

I changed the RabbitMQ broker URL to wss://:15673/ws so that we are not referring to loop back ip.

But with this I am not able to connect to RabbitMQ server. I am connecting from the same machine.

How can connect to RabbitMQ server by providing the server IP address/hostname?

I am getting an error in the client SEC_ERROR_REUSED_ISSUER_AND_SERIAL with Firefox (as attached).
When I checked the server certificate that I created using tls-gen I could see serial number as '01', it looks like gets conflicted with some other certificate with the same serial number.
How can I generate a certificate with unique serial number using tls-gen?

Thanks
Basanth

I didn't see in the documentation how to generate another client cert after the CA and server cert were already created. Is this possible?

See #28. We should just use the include directive.

Hi,

I am getting this error when running on windows: Makefile:1: *** missing separator. Stop

Describe the bug

Just a minor issue, however: When certificates are created with the CN=<common_name> variable to override the default common name, then

make clean CN=<common_name>

assumes the default common name instead of <common_name>. As a consequence, the directories client_<common_name> and server_<common_name> are not deleted.

I already figured out myself that the problem is in common.mk lines 56 and 57:

clean:
	$(PYTHON) profile.py clean

The clean target is missing the --common-name '$(CN)' option which is present in other targets. After I added the option like

clean:
	$(PYTHON) profile.py clean --common-name '$(CN)'

everything worked fine.

Reproduction steps

1. git clone https://github.com/rabbitmq/tls-gen tls-gen
2. cd tls-gen/basic
3. make CN="foobar"
4. make clean CN="foobar"

Expected behavior

The following directories are deleted:

client_foobar
server_foobar

Additional context

No response

See pika/pika#1035 (comment) and this gist.

Hi,

I've installed Python 3.6, latest Make and have openssl installed. I have navigated to the /basics/ folder and ran "make PASSWORD=bunnies" and it responds with:

"python3 profile.py regenerate --password bunnies --common-name DESKTOP-M5MGB2F -V 3650
process_begin: CreateProcess(NULL, python3 profile.py regenerate --password bunnies --common-name DESKTOP-M5MGB2F -V 365
0, ...) failed.
make (e=2): The system cannot find the file specified.
make: *** [regen] Error 2"

What am I doing wrong?

Discussions like this one make me wonder if, together with PKCS#12 versions of both certificates, we should produce a pre-populated trust store to be quickly hooked into JVM-based tools such as Spring Boot.

Since this requires keytool and JDK to be available, perhaps this can be done using a separate Make target?

the hostname command is also a required to be installed. Not every-system has this installed by default, i.e many minimal linux images do not.