Cannot authenticate with x509 without username and password

[Aleksandar1932]

Describe the bug

I've successfully configured RabbitMQ with for TLS following the official docs.

My config looks like:

listeners.ssl.default = 5671

log.file.formatter = json
log.console.formatter = json

ssl_options.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server_certificate.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_cert_login_from = common_name

mqtt.ssl_cert_login = true
mqtt.listeners.ssl.default = 8883
mqtt.allow_anonymous = true

auth_mechanisms.1 = EXTERNAL

When I want to authenticate with an MQTT client it's not possible without specifying a valid username and password. As per https://www.rabbitmq.com/mqtt.html it is stated Clients must not supply username and password.

Is this behaviour expected?

Reproduction steps

1. Try to login with client cert and ca
2. bad username and password

Expected behavior

login without username/password, just with x509 certificate

Additional context

No response

[michaelklishin]

When x.509 certificates are used, the username is extracted from one of the certificate fields and the password field is ignored.

The MQTT guide likely means that those credentials will not be used as if it were the standard authN mechanism.

[michaelklishin]

What you claim to be doing is perfectly possible and hasn't changed in years.

Perhaps you haven't restarted all nodes after updating rabbitmq.conf. Or your certificates do not have the appropriate x.509 extensions. See what tls-gen generates, for example, we have been using it across all of our test suites for over a decade.

See How to Inspect and Verify Effective Configuration of a Running Node and Troubleshooting TLS.

We cannot suggest much more with the amount of information provided. At the very least, please provide the effective configuration and logs. We do not guess in this community.

[michaelklishin]

Also, I'm pretty sure combining mqtt.allow_anonymous = true and x.509-certificate based authentication will not work.

mqtt.allow_anonymous instructs the plugin to use its default credentials. Avoid anonymous "authentication" in MQTT at all costs either way.

[michaelklishin]

Oh, and the most obvious thing to verify is what your client certificate's Subject Alternative Name and the CN values are, and that there there is a user with that username in RabbitMQ's internal database, since that's the authN backend (not to be confused with mechanisms) used by your node (according to the provided configuration file).

[lukebakken]

@Aleksandar1932 You're in luck, I have a complete example here:

https://github.com/lukebakken/mqtt-client-cert-example

See the README and setup.sh files for how to configure everything correctly. Let me know if you have questions.

[rukechen]

I got one familiar case. I just used RabbitMQ and didn't enable mqtt plugin.
The following is my configuration.
`management.listener.port = 15672
management.listener.ssl = true
auth_backends.1 = cache

auth_cache.cached_backend = http
auth_cache.cache_ttl = 3600000

auth_http.http_method = get
auth_http.user_path = http://localhost:3001/auth/user
auth_http.vhost_path = http://localhost:3001/auth/vhost
auth_http.resource_path = http://localhost:3001/auth/resource
auth_http.topic_path = http://localhost:3001/auth/topic
auth_backends.2 = internal
auth_mechanisms.1 = EXTERNAL
auth_mechanisms.2 = PLAIN
auth_mechanisms.3 = AMQPLAIN
ssl_cert_login_from = common_name
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server_certificate.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

management.listener.ssl_opts.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem
management.listener.ssl_opts.certfile = /etc/rabbitmq/ssl/server_certificate.pem
management.listener.ssl_opts.keyfile = /etc/rabbitmq/ssl/server_key.pem
management.listener.ssl_opts.verify = verify_peer
`
According to this page, https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools
I think I should see

but actually I only get this

Does RabbitMQ without mqtt plugin support x509 authentication? or is there detail standard operation process ?

Thanks

[rukechen]

Hi @michaelklishin ,
Do you mean rabbitmqctl add_user CN=myclient with password or call curl -vvv --cert /certs/client/cert.pem --key /certs/client/key.pem --cacert "/certs/ca/cacert.pem" 'https://[email protected]:15672/api/overview' with password?

I try call curl -vvv --cert /certs/client/cert.pem --key /certs/client/key.pem --cacert "/certs/ca/cacert.pem" 'https://[email protected]:15672/api/overview' with password and still get {"error":"not_authorized","reason":"Login failed"}.

[michaelklishin]

I was referring to client connections. You are trying to use x.509 authentication with the HTTP API.

It does not support this option. Protocol plugins do, as described in the rabbitmq_auth_mechanism_ssl backend.

HTTP API clients must use either a username/password pair or JWT tokens.

[rukechen]

Got it.
I will try to use client connection, not HTTP API.
Thanks

[rukechen]

I just port 5671 to send message, but still get authentication failed.
I try to use CN=myclient only or CN=myclient:random_pwd，the result is as following.

[michaelklishin]

According to the debug log, rabbit_auth_backend_amqp:user_login_authentication/2 is an undefined function (the error says "undef").

The function clearly does exist, so perhaps the plugin is not enabled.

This must be the first time in a decade when I see someone try to combine rabbit_auth_mechanism_ssl and rabbit_auth_backend_amqp. The latter is significantly less popular than the three other common authN/authZ options.