rabbitmq / tls-gen Goto Github PK
View Code? Open in Web Editor NEWGenerates self-signed x509/TLS/SSL certificates useful for development
License: Mozilla Public License 2.0
Generates self-signed x509/TLS/SSL certificates useful for development
License: Mozilla Public License 2.0
Hi,
I wanted to connect to RabbitMQ server from an Angular application running in my iPad.
I changed the RabbitMQ broker URL to wss://:15673/ws so that we are not referring to loop back ip.
But with this I am not able to connect to RabbitMQ server. I am connecting from the same machine.
How can connect to RabbitMQ server by providing the server IP address/hostname?
I am getting an error in the client SEC_ERROR_REUSED_ISSUER_AND_SERIAL with Firefox (as attached).
When I checked the server certificate that I created using tls-gen I could see serial number as '01', it looks like gets conflicted with some other certificate with the same serial number.
How can I generate a certificate with unique serial number using tls-gen?
Thanks
Basanth
See pika/pika#1035 (comment) and this gist.
There aren't too many examples of how to do that on the Web at the moment, could be a good way to address a real pain point.
Steps to reproduce:
cd basic
make USE_ECC=true
# in terminal 1
openssl s_server -cert ./server/cert.pem -key ./server/key.pem -CAfile ./testca/cacert.pem
# in terminal 2
openssl s_client -cert ./client/cert.pem -key ./client/key.pem -CAfile ./testca/cacert.pem
Error output:
ACCEPT │ Start Time: 1508449149
ERROR │ Timeout : 7200 (sec)
139822582923200:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1404: │ Verify return code: 0 (ok)
shutting down SSL │ Extended master secret: no
CONNECTION CLOSED
If you generate "regular" certs with make
the above s_server
and s_client
commands work fine. I'll continue investigating.
$ openssl version
OpenSSL 1.1.0f 25 May 2017
Hi,
I've installed Python 3.6, latest Make and have openssl installed. I have navigated to the /basics/ folder and ran "make PASSWORD=bunnies" and it responds with:
"python3 profile.py regenerate --password bunnies --common-name DESKTOP-M5MGB2F -V 3650
process_begin: CreateProcess(NULL, python3 profile.py regenerate --password bunnies --common-name DESKTOP-M5MGB2F -V 365
0, ...) failed.
make (e=2): The system cannot find the file specified.
make: *** [regen] Error 2"
What am I doing wrong?
I didn't see in the documentation how to generate another client cert after the CA and server cert were already created. Is this possible?
Hi,
I am getting this error when running on windows: Makefile:1: *** missing separator. Stop
Hi, how I can generate the certificate files with RSA encryption?
Hello ,
Is there a way to include SAN IP address in the generated certificates
While running the below command I got below error!
make CN=rabbitmq-broker
make alias-leaf-artifacts
Write out database with 1 new entries
Database updated
=> ['openssl', 'pkcs12', '-export', '-out', '/tmp/tls-gen/basic/client_rabbitmq-broker/keycert.p12', '-in', '/tmp/tls-gen/basic/client_rabbitmq-broker/cert.pem', '-inkey', '/tmp/tls-gen/basic/client_rabbitmq-broker/key.pem', '-certfile', '/tmp/tls-gen/basic/testca/cacert.pem', '-passout', 'pass:'] {}
Done! Find generated certificates and private keys under ./result!
python3 profile.py verify --common-name 'rabbitmq-broker'
Will verify generated certificates against the CA...
Will verify client_rabbitmq-broker certificate against root CA
/tmp/tls-gen/basic/result/client_rabbitmq-broker_certificate.pem: OK
Will verify server_rabbitmq-broker certificate against root CA
/tmp/tls-gen/basic/result/server_rabbitmq-broker_certificate.pem: OK
python3 profile.py alias-leaf-artifacts --common-name 'rabbitmq'
Will copy certificate and key for client_rabbitmq to /tmp/tls-gen/basic/result/client_*.pem
Will copy certificate and key for server_rabbitmq to /tmp/tls-gen/basic/result/server_*.pem
Traceback (most recent call last):
File "/tmp/tls-gen/basic/profile.py", line 133, in <module>
cli.run(commands)
File "/tmp/tls-gen/tls_gen/cli.py", line 76, in run
dispatch_command(commands, parser, args, options)
File "/tmp/tls-gen/tls_gen/cli.py", line 46, in dispatch_command
fn(options)
File "/tmp/tls-gen/basic/profile.py", line 108, in alias_leaf_artifacts
g.alias_file("client", client_name)
File "/tmp/tls-gen/tls_gen/gen.py", line 71, in alias_file
p.copy_tuple_path((p.result_dir_name, "{}_certificate.pem".format(peer)),
File "/tmp/tls-gen/tls_gen/paths.py", line 27, in copy_tuple_path
shutil.copy(relative_path(*from_tuple), relative_path(*to_tuple))
File "/usr/local/lib/python3.11/shutil.py", line 419, in copy
copyfile(src, dst, follow_symlinks=follow_symlinks)
File "/usr/local/lib/python3.11/shutil.py", line 256, in copyfile
with open(src, 'rb') as fsrc:
^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tls-gen/basic/result/client_rabbitmq_certificate.pem'
make: *** [../common.mk:96: alias-leaf-artifacts] Error 1
docker run -it python:3.11.5-alpine ash
Execute this script or copy-paste each step :)
#!/usr/bin/env sh
apk upgrade && apk add \
git \
make \
openssl
git clone https://github.com/rabbitmq/tls-gen.git /tmp/tls-gen
cd /tmp/tls-gen/basic
make CN=rabbitmq-broker
make alias-leaf-artifacts
``
Certificate should be generated with CN name specified in make command.
No response
https://www.openssl.org/docs/manmaster/man1/openssl-crl.html
It might be nice to document or automate the creation of a CRL for testing that functionality.
Steps to reproduce:
cd tls-gen/basic
make PASSWORD=bunnies DAYS_OF_VALIDITY=-7
Result:
$ make PASSWORD=bunnies DAYS_OF_VALIDITY=-7
python3 profile.py regenerate --password "bunnies" \
--common-name laptop \
--client-alt-name laptop \
--server-alt-name laptop \
--days-of-validity -7 \
--key-bits 2048
Removing /home/joseliber/tls-gen/basic/testca
Removing /home/joseliber/tls-gen/basic/result
Removing /home/joseliber/tls-gen/basic/server
Removing /home/joseliber/tls-gen/basic/client
Will generate a root CA and two certificate/key pairs (server and client)
=> [openssl_req]
req: Non-positive number "-7" for -days
req: Use -help for summary.
=> [openssl_x509]
Can't open /home/joseliber/tls-gen/basic/testca/cacert.pem for reading, No such file or directory
...snip...
Followed by a bunch of related errors.
Steps to reproduce:
Per RFC https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2
Serial numbers with an issuer must be unique, and there no more then 20 bytes(octets) thus between range between one and n^(20*8)
Workaround:
Remove the exception for alpha and reinstall exception for beta.
Error message details:
An error occurred during a connection to beta. You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL
[root@9dfe45c9f207 result]# openssl x509 -text -noout -in server_alpha_certificate.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
As we don't yet support multiple client certificate generations fully. I think the best current plan would be to randomize the serial number upon generation. Hopefully we avoid any collisions that way.
Hi,
I generated a CA and uses it to produce two certificate/key pairs using tls-gen. Then tested generated certificates using openssl tools given @https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools.
I could see s_server and s_client connection is fine. Verify return code: 0 (ok)
I imported these 3 certificates to 'Personal' and 'Trusted Root Certification Authorities' sections.
Then I tried connecting to my TLS enabled RabittMQ server from an Angular client. I used https://github.com/stomp-js/ng2-stompjs-angular7 with wss://127.0.0.1:15673/ws.
ng serve --ssl true --ssl-cert D:\sprint43\tls-gen-master\result\client_certificate.pem --ssl-key D:\sprint43\tls-gen-master\result\client_key.pem
I am getting certificate invalid error. When open and check the certificate I could see "This certificate is ok'.
In firefox I am getting a different error.
An error occurred during a connection to localhost:4200. Certificate type not approved for application. Error code: SEC_ERROR_INADEQUATE_CERT_TYPE
Environment:
Regards
Basanth
Hi @michaelklishin , I've found your application via RabbiMQ TLS docs.
I'm using the basic
profile to generate server/client certs with passwords. While testing the RMQ configuration, I purposefully left the key password option commented so I could find out the behavior/error messages from RMQ server when a user forgets to set that option correctly.
To my surprise, the server worked correctly and clients could connect via TLS without issues or error messages.
I searched the web for instructions on how to check passwords on openssl certificate keys, and found link1, link2.
I've tried the openssl tests and the certificate key was always displayed in stdout, even when supplying a wrong password.
Could you please provide some clarifications on whether I'm doing this wrong or maybe tls-gen is missing something to set passwords on the basic
profile?
Regards,
José.
I would like to know how I generate a certificate that accepts the hostname 127.0.0.1 when connecting through this IP with the basic type certificates I get the error
hostname/ip does not match certificate's altnames 127.0.01
We have done this (switch to a more modern and hopefully non-offensive branch name) in almost all smaller RabbitMQ-related projects. Should we branch main
off of master
, make it the default branch and continue there? I doubt anyone
checks out master
specifically but we can delay its removal by a few months (at the risk of some confusion).
This can be done after all PRs under active development are merged.
Hi ,
I have to generate trust chain of certificate with rootCA, intermediate CA and leaf certificates.
With the two_shared_intermediates and separate_intermediates code, i am able to generate root CA and leaf certificate, where i am not able to find the intermediate certificate to form trust chain of certificate.
root certificate (ok)
intermediate certificate (not available)
leaf certificate generated by intermediate certificate (ok)
Any help on this is really appreciable.
Hello, I am trying to use your product to generate files coming from the RabbitMQ tls documentation. I cloned the repository and am now trying to run the "make PASSWORD=bunnies", however I get the error "missing seperator. Stop". It's a common error that gets thrown when using spaces instead of tabs, however I can't figure out why I get this error on your product, since I changed nothing to the makefile. I even removed and recloned the repository, but I'm still getting the same error.
See #28. We should just use the include
directive.
Just a minor issue, however: When certificates are created with the CN=<common_name>
variable to override the default common name, then
make clean CN=<common_name>
assumes the default common name instead of <common_name>
. As a consequence, the directories client_<common_name>
and server_<common_name>
are not deleted.
I already figured out myself that the problem is in common.mk
lines 56 and 57:
clean:
$(PYTHON) profile.py clean
The clean
target is missing the --common-name '$(CN)'
option which is present in other targets. After I added the option like
clean:
$(PYTHON) profile.py clean --common-name '$(CN)'
everything worked fine.
git clone https://github.com/rabbitmq/tls-gen tls-gen
cd tls-gen/basic
make CN="foobar"
make clean CN="foobar"
The following directories are deleted:
client_foobar
server_foobar
No response
the hostname command is also a required to be installed. Not every-system has this installed by default, i.e many minimal linux images do not.
With the latest changes in master
there is now an issue creating openssl certs because of changes in the openss.cnf
file.
running: cd basic && make
errors:
Error Loading extension section client_extensions
...
Error Loading extension section server_extensions
I believe it is the 2 lines containing @crlDistributionPoints = URI:CRL@
under server_extensions and client_extensions sections.
This seems to have been introduced in #19
Discussions like this one make me wonder if, together with PKCS#12 versions of both certificates, we should produce a pre-populated trust store to be quickly hooked into JVM-based tools such as Spring Boot.
Since this requires keytool
and JDK to be available, perhaps this can be done using a separate Make target?
I am trying to generate a certificate using the: make CN=127.0.0.1
command. It works fine with the localhost.
However, I also need to have a certificate in my docker-compose network (which has several domains like: one.node.com, two.node.com, etc)
I am trying to make the certificate pairs valid on all of them, however, nothing seems to work for me. E.g. I was trying to do:
make CN="one.node.com, two.node.com"
and make CN="*.node.com"
, however in all cases it was not possible to use certificates, as hostname check failed in all cases :(.
Hi,
I am trying o generate certificates in Windows 10 using MYSYS2.
I am getting error,
ic002275@md1uu1ec MSYS /d/tls-gen-master/basic
#make PASSWORD=bunnies
Makefile:1: *** missing separator. Stop.
How to solve this missing separator in Windows 10?
Regards
Basanth
Hello.
I'm using vagrant for my local development where I use rabbitmq
and for that try to create certificates using your product.
When I used ubuntu 16.04 as my vagrant box everything work well, I could create certificates and they are worked well(OpenSSL 1.0.2g 1 Mar 2016
), after I moved my vagrant to ubuntu 18.04 (OpenSSL 1.1.0g 2 Nov 2017
) I could create certificates in the same way but they are didn't work.
I tried use certificates created with in my ubuntu 16.04 system with OpenSSL 1.0.2g 1 Mar 2016
in my ubuntu 18.04 and everything works well, but certificates created in the same way with OpenSSL 1.1.0g 2 Nov 2017
broken it.
Why it can be?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.