【发布时间】:2022-01-14 15:50:25
【问题描述】:
我目前有一个名为“rabbitmq.
我将 certbot 生成的 nginx 证书(让我们加密)用于 rabbitmq 仪表板,并将它们放入 rabbitmq 配置中:
#listeners.tcp = none
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/rabbitmq/certs/fullchain.pem
ssl_options.certfile = /etc/rabbitmq/certs/cert.pem
ssl_options.keyfile = /etc/rabbitmq/certs/privkey.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
重启rabbitmq工作后,我可以在我的客户端计算机上诊断我与openssl的连接:
openssl s_client -connect rabbitmq.<server>.com:5671 -cert cert.pem -key privkey.pem -CAfile fullchain.pem -verify 8 -verify_hostname rabbitmq.<server>.com
但是 openssl 报错:
00864C1001000000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1588:SSL alert number 48
我尝试将verify_peer 更改为verify_none 和SSL 客户端工作:
...
SSL handshake has read 4579 bytes and written 405 bytes
Verification error: unable to get issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 2 (unable to get issuer certificate)
---
...
AMQP closed
但我不喜欢删除安全性。而且我的 python pika 客户端也不行。
我的第一个问题是我的工作做得好吗?我需要获取服务器证书(ca、cert、key)还是需要为客户端重新生成另一个证书?
【问题讨论】:
标签: ssl openssl rabbitmq ssl-certificate lets-encrypt