Hi,
When starting the sensu-client on an AIX 7.1 server, the RabbitMQ connection fails with the following error:
/opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/pure_ruby.rb:330:in `initialize’: SSL_CTX_use_PrivateKey: key values mismatch (OpenSSL::SSL::SSLError)
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/pure_ruby.rb:330:in `new'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/pure_ruby.rb:330:in `start_tls'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:459:in `start_tls'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp/session.rb:1180:in `upgrade_to_tls_if_necessary'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp/session.rb:583:in `post_init'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:58:in `block in new'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:49:in `instance_eval'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/em/connection.rb:49:in `new'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/eventmachine.rb:683:in `bind_connect'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/eventmachine-1.2.5/lib/eventmachine.rb:653:in `connect'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp/session.rb:457:in `connect'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/amqp-1.6.0/lib/amqp.rb:242:in `connect'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/sensu-transport-7.0.2/lib/sensu/transport/rabbitmq.rb:214:in `setup_connection'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/sensu-transport-7.0.2/lib/sensu/transport/rabbitmq.rb:254:in `block in connect_with_eligible_options'
from /opt/sensu/embedded/lib/ruby/gems/2.4.0/gems/sensu-transport-7.0.2/lib/sensu/transport/rabbitmq.rb:197:in `block in next_connection_options'
…
I know that the server itself is fine, as I have other clients (RHEL7) that are communicating, using exactly the same configuration.
I have RabbitMQ set to not verify certificates, and not error if no client certificate is supplied. I am simply providing the Sensu client with the certificate chain, as follows:
{
“rabbitmq”: {
"host": "sensu.test",
"port": 5671,
"user": "sensu",
"password": "MYPASSWORD",
"vhost": "/sensu",
"ssl": {
"cert_chain_file": "/etc/sensu/ssl/cert.pem"
}
}
}
My RabbitMQ config is as follows:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/ca_cert.pem"},
{certfile,"/etc/rabbitmq/ssl/cert.pem"},
{keyfile,"/etc/rabbitmq/ssl/key.pem"}]}
]}
]
If I try using the embedded openssl (or even the default one in AIX), it all seems to connect just fine:
pwd
/opt/sensu/embedded/bin
./openssl s_client -connect sensu.test:5671 -CAfile /etc/sensu/ssl/cert.pem
CONNECTED(00000003)
depth=2 CN = SERVERCN
verify return:1
depth=1 DC = uk, DC = co, CN = SERVERCN
verify return:1
depth=0 C = GB, O = Z, OU = MYCOMPANY, CN = sensu.test
verify return:1
···
Certificate chain
0 s:/C=GB/ST=X/L=Y/O=Z/OU=W/CN=sensu.test
i:/DC=uk/DC=co/DC=W/DC=ad/CN=SERVERCN
1 s:/DC=uk/DC=co/DC=W/DC=ad/CN=SERVERCN
i:/CN=SERVERCN
2 s:/CN=SERVERCN
i:/CN=SERVERCN
Server certificate
…
…
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 5474 bytes and written 488 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 465A9504AADB060E2B7A313E3B82ED1CF7CC259D34F830450D81A2392B6AFAF1
Session-ID-ctx:
Master-Key: 41472708C009556CD81DE4437F6A8E4C3A620823DD4017A2A6659DC28BE318CB1DDC57D6DD90E5D292C1F47D10F10764
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1522149512
Timeout : 300 (sec)
Verify return code: 0 (ok)
(I’ve changed some of the output to anonymise it)
Short of switching off TLS for RabbitMQ, is there anything else I can try out to see what’s going wrong here? It must be an AIX specific thing, because the other servers have no issue communicating (they’re built exactly the same using Ansible).
Thanks
Adam