我生成了一个 letsencrypt 证书,并尝试使用我的 rabbitmq 服务器配置该证书。我启用了 rabbitmq_management 和 rabbitmq_mqtt 插件,并使用相同的 ssl 证书配置。我的配置如下所示。我设法使用 https 从浏览器访问 rabbitmq 管理控制台。但是,每当我尝试使用 mqtt 客户端连接 rabbitmq 时,它都不会成功。我注意到如下所示的错误日志。我还尝试连接到端口 5671,如 “rabbitmq 的 tls/ssl 故障排除”。连接也抛出了异常。有人能告诉我可能出了什么问题吗?
配置 :
[
{rabbit,
[
{ssl_listeners, [5671]},
{tcp_listeners, [{"127.0.0.1", 5672}, {"::1", 5672}]},
{ssl_options, [{cacertfile,"/ssl/s2.domain.co/chain.pem"},
{certfile,"/ssl/s2.domain.co/cert.pem"},
{keyfile,"/ssl/s2.domain.co/privkey.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]},
]
},
{kernel, []},
{rabbitmq_management,
[
{listener, [
{port, 15672},
{ip, "0.0.0.0"},
{ssl, true},
{ssl_opts, [{cacertfile, "/ssl/s2.domain.co/chain.pem"},
{certfile, "/ssl/s2.domain.co/cert.pem"},
{keyfile, "/ssl/s2.domain.co/privkey.pem"}]}
]
}
]
}
{rabbitmq_stomp, []},
{rabbitmq_mqtt, [{ssl_listeners,[8883]},{tcp_listeners,[1883]}]},
{rabbitmq_amqp1_0, []},
{rabbitmq_auth_backend_ldap, []}
].
mqtt连接错误日志:
=ERROR REPORT==== 12-Apr-2016::03:39:17 ===
SSL: certify: ssl_alert.erl:92:Fatal error: certificate unknown
运行连接端口 5671 的命令:
openssl s_client -connect localhost:5671
连接端口 5671 的异常:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=s2.domain.co
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgISAypMQeOTn5dLIvtJer33fdsZMA0GCSqGSIb3DQEBCwUA
...
UiCsw7U66T3TDVjQrduiZueUKtr//BYO0rWGpLdUBFjjGHK/
-----END CERTIFICATE-----
subject=/CN=s2.domain.co
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3871 bytes and written 477 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxx
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1460433641
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---