AIX client - SSL_CTX_use_PrivateKey: key values mismatch (OpenSSL::SSL::SSLError)

Sensu Classic (EOL)
1

Hi,
When starting the sensu-client on an AIX 7.1 server, the RabbitMQ connection fails with the following error:

/opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/pure_ruby.rb:330:in `initialize’: SSL_CTX_use_PrivateKey: key values mismatch (OpenSSL::SSL::SSLError)

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/pure_ruby.rb:330:in `new'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/pure_ruby.rb:330:in `start_tls'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:459:in `start_tls'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp/session.rb:1180:in `upgrade_to_tls_if_necessary'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp/session.rb:583:in `post_init'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:58:in `block in new'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:49:in `instance_eval'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:49:in `new'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/eventmachine.rb:683:in `bind_connect'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/eventmachine.rb:653:in `connect'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp/session.rb:457:in `connect'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp.rb:242:in `connect'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/sensu-transport-7.0.2/lib/sensu/transport/rabbitmq.rb:214:in `setup_connection'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/sensu-transport-7.0.2/lib/sensu/transport/rabbitmq.rb:254:in `block in connect_with_eligible_options'

    from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/sensu-transport-7.0.2/lib/sensu/transport/rabbitmq.rb:197:in `block in next_connection_options'

I know that the server itself is fine, as I have other clients (RHEL7) that are communicating, using exactly the same configuration.

I have RabbitMQ set to not verify certificates, and not error if no client certificate is supplied. I am simply providing the Sensu client with the certificate chain, as follows:

{

“rabbitmq”: {

"host": "sensu.test",

"port": 5671,

"user": "sensu",

"password": "MYPASSWORD",

"vhost": "/sensu",

"ssl": {

  "cert_chain_file": "/etc/sensu/ssl/cert.pem"

}

}

}

My RabbitMQ config is as follows:

[

{rabbit, [

 {ssl_listeners, [5671]},

 {ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/ca_cert.pem"},

                {certfile,"/etc/rabbitmq/ssl/cert.pem"},

                {keyfile,"/etc/rabbitmq/ssl/key.pem"}]}

]}

]

If I try using the embedded openssl (or even the default one in AIX), it all seems to connect just fine:

pwd

/opt/sensu/embedded/bin

./openssl s_client -connect sensu.test:5671 -CAfile /etc/sensu/ssl/cert.pem

CONNECTED(00000003)

depth=2 CN = SERVERCN

verify return:1

depth=1 DC = uk, DC = co, CN = SERVERCN

verify return:1

depth=0 C = GB, O = Z, OU = MYCOMPANY, CN = sensu.test

verify return:1

···

Certificate chain

0 s:/C=GB/ST=X/L=Y/O=Z/OU=W/CN=sensu.test

i:/DC=uk/DC=co/DC=W/DC=ad/CN=SERVERCN

1 s:/DC=uk/DC=co/DC=W/DC=ad/CN=SERVERCN

i:/CN=SERVERCN

2 s:/CN=SERVERCN

i:/CN=SERVERCN

Server certificate

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5474 bytes and written 488 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol  : TLSv1.2

Cipher    : ECDHE-RSA-AES256-SHA384

Session-ID: 465A9504AADB060E2B7A313E3B82ED1CF7CC259D34F830450D81A2392B6AFAF1

Session-ID-ctx:

Master-Key: 41472708C009556CD81DE4437F6A8E4C3A620823DD4017A2A6659DC28BE318CB1DDC57D6DD90E5D292C1F47D10F10764

Key-Arg   : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1522149512

Timeout   : 300 (sec)

Verify return code: 0 (ok)

(I’ve changed some of the output to anonymise it)

Short of switching off TLS for RabbitMQ, is there anything else I can try out to see what’s going wrong here? It must be an AIX specific thing, because the other servers have no issue communicating (they’re built exactly the same using Ansible).

Thanks

Adam