Connection reset by peer (rabbitmq)

[Opperessor]

Python / Pika code

import pika, sys, os,ssl

def main():

    context =ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.verify_mode = ssl.CERT_REQUIRED
    context.load_verify_locations("/home/dev/Desktop/files_from_ssh/ca_certificate.pem")

    credentials = pika.PlainCredentials(username='xxx', password='xxxx')
    conn_params = pika.ConnectionParameters(host="***",port=5672,heartbeat=60,ssl_options=pika.SSLOptions(context),
                                            virtual_host="test_environment",credentials=credentials)
    connection = pika.BlockingConnection(conn_params)
    channel = connection.channel()
    channel.queue_declare(queue='ssl_test')

    def callback(ch, method, properties, body):
        print(" [x] Received %r" % body)

    channel.basic_consume(queue='ssl_test', on_message_callback=callback, auto_ack=True)
    print(' [*] Waiting for messages. To exit press CTRL+C')

    channel.start_consuming()


if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print("Interrupted")
        try:
            sys.exit(0)
        except SystemExit:
            pass

on the server side tls is enabled

Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS
Interface: [::], port: 15672, protocol: http, purpose: HTTP API

rabbitmq.conf:

listeners.ssl.default               = 5672
ssl_options.cacertfile              = /home/dev/testca/ca_certificate.pem
ssl_options.certfile                = /home/dev/server/server_certificate.pem
ssl_options.keyfile                 = /home/dev/server/private_key.pem
ssl_options.verify                  = verify_peer
ssl_options.fail_if_no_peer_cert    = true
listeners.tcp = none

refered from this site:https://pika.readthedocs.io/en/stable/examples/tls_server_authentication.html unable to connect to the server would someone help me out kinda new to rabbitmq this is the error im getting

ConnectionResetError: [Errno 104] Connection reset by peer

[lukebakken]

@Opperessor it is very strange to configure the default AMQP port 5672 to use TLS. Just FYI.

You have RabbitMQ configured to request a client certificate:

ssl_options.verify = verify_peer

...yet your Python code does not provide one. It looks like I need to update the Pika documentation.

You should use code like this:

import pika
import ssl

context = ssl.create_default_context()
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(cafile="/path/to/ca_certificate.pem")
context.load_cert_chain(
    certfile="/path/to/client_certificate.pem",
    keyfile="/path/to/cclient_key.pem",
)

credentials = pika.PlainCredentials("guest", "guest")

parameters = pika.ConnectionParameters(
    host="localhost",
    port=5672,
    credentials=credentials,
    ssl_options=pika.SSLOptions(context),
)

connection = pika.BlockingConnection(parameters)

Please see this pull request to update the documentation: pika/pika#1412

[lukebakken]

https://groups.google.com/g/rabbitmq-users/c/mr6-zlC9aqQ

[lihuagang03]

@Opperessor we encountered similar issues, the log is An unexpected connection driver error occured (Exception message: Connection reset).

[AMQP Connection *:*] WARN com.rabbitmq.client.impl.ForgivingExceptionHandler - An unexpected connection driver error occured (Exception message: Connection reset)

it similar with this issue rabbitmq/rabbitmq-java-client#620

the root cause is the rabbitmq server requires SSL authorization, but the client config spring.rabbitmq.ssl.enabled=true not in effect.
this config is from config center server, not in properties.yml file.

we use RabbitAutoConfiguration, RabbitProperties.Ssl in spring-boot-autoconfigure-2.7.4.jar, the init critical code is the following:
org.springframework.boot.autoconfigure.amqp.RabbitConnectionFactoryBeanConfigurer#configure

	public void configure(RabbitConnectionFactoryBean factory) {
		// ...
		RabbitProperties.Ssl ssl = this.rabbitProperties.getSsl();
		if (ssl.determineEnabled()) {
			factory.setUseSSL(true);
			map.from(ssl::getAlgorithm).whenNonNull().to(factory::setSslAlgorithm);
			map.from(ssl::getKeyStoreType).to(factory::setKeyStoreType);
			map.from(ssl::getKeyStore).to(factory::setKeyStore);
			map.from(ssl::getKeyStorePassword).to(factory::setKeyStorePassphrase);
			map.from(ssl::getKeyStoreAlgorithm).whenNonNull().to(factory::setKeyStoreAlgorithm);
			map.from(ssl::getTrustStoreType).to(factory::setTrustStoreType);
			map.from(ssl::getTrustStore).to(factory::setTrustStore);
			map.from(ssl::getTrustStorePassword).to(factory::setTrustStorePassphrase);
			map.from(ssl::getTrustStoreAlgorithm).whenNonNull().to(factory::setTrustStoreAlgorithm);
			map.from(ssl::isValidateServerCertificate)
					.to((validate) -> factory.setSkipServerCertificateValidation(!validate));
			map.from(ssl::getVerifyHostname).to(factory::setEnableHostnameVerification);
		}
		// ...
	}

[michaelklishin]

For those landing here from Google: note that server logs would provide fairly relevant messages. So would narrowing the problem down as described in the Troubleshooting TLS guide.

[lihuagang03]

thx, brother!