OpenCTI is failing to connect to Amazon MQ/RabbitMQ cluster

[ghost]

Description

When trying to setup a rabbitmq cluster using Amazon MQ, opencti is failing to connect. The host system that is running docker can access the cluster via curl/telnet. The only difference I can see between a stand-alone rabbitmq cluster and amazon mq is that AWS uses SSL for rabbitmq connections.

Environment

1. AWS Linux 2 AMI
2. OpenCTI 4.3.5
3. OpenCTI client: NA
4. Other environment details:

Amazon MQ Broker engine: RabbitMQ Deployment mode: Single-instance broker Broker instance type: mq.m5.xlarge Broker engine version: 3.8.6

listening ports

Protocol | Bound to | Port amqp/ssl | :: | 5671 clustering | :: | 25672 https | :: | 15671

Web Contexts

Context | Bound to | Port | SSL | Path RabbitMQ Management | 0.0.0.0 | 15671 | * | /

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Create Amazon MQ cluster in AWS
2. From a Fresh install of opencti, configure rabbitmq env vars to point to AWS MQ
3. Start opencti and watch logs

Expected Output

Connect and use Amazon MQ

Actual Output

{"error":{"name":"DatabaseError","_error":{},"_showLocations":false,"_showPath":false,"time_thrown":"2021-04-08T15:05:22.890Z","data":{"reason":"RabbitMQ seems down","category":"technical"},"internalData":{}},"version":"4.3.5","level":"error","message":"[OPENCTI] Platform initialization fail","timestamp":"2021-04-08T15:05:22.890Z"}

Additional information

[ghost]

OCTI Env Variables:

opencti: image: opencti/platform:4.3.5 environment:

• APP__PORT=8080
• APPADMINEMAIL=${OPENCTI_ADMIN_EMAIL}
• APPADMINPASSWORD=${OPENCTI_ADMIN_PASSWORD}
• APPADMINTOKEN=${OPENCTI_ADMIN_TOKEN}
• APP__LOGS_LEVEL=debug
• APP__LOGS=./logs
• APP__REACTIVE=true
• APP__COOKIE_SECURE=false
• REDIS__HOSTNAME=REDACTED.amazonaws.com
• REDIS__PORT=6379
• ELASTICSEARCH__URL=REDACTED.amazonaws.com
• ELASTICSEARCH__NO_SSL_CHECK=false
• MINIO__ENDPOINT=minio
• MINIO__PORT=9000
• MINIO__USE_SSL=false
• MINIO__ACCESS_KEY=${MINIO_ACCESS_KEY}
• MINIO__SECRET_KEY=${MINIO_SECRET_KEY}
• RABBITMQ__HOSTNAME=REDACTED.amazonaws.com
• RABBITMQ__PORT=5671
• RABBITMQ__PORT_MANAGEMENT=15671
• RABBITMQ__MANAGEMENT_SSL=true
• RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}
• RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}
• PROVIDERSOPENIDSTRATEGY=OpenIDConnectStrategy
• PROVIDERSOPENIDCONFIG__LABEL="Login with Okta"
• PROVIDERSOPENIDCONFIG__ISSUER=REDACTED
• PROVIDERSOPENIDCONFIG__CLIENT_ID=REDACTED
• PROVIDERSOPENIDCONFIG__CLIENT_SECRET=REDACTED
• PROVIDERSOPENIDCONFIG__REDIRECT_URI=REDACTED
• PROVIDERSLOCALSTRATEGY=LocalStrategy ports:
• "8080:8080" depends_on:
• minio restart: always

[ghost]

[ghost]

[ghost]

We have troubleshooted the issue to be related to there being no option to support amqps:// in rabbitmq.js. Lines 15-18

[hortonew]

I've created a configuration that will enable testing on the amqps version. This lets rabbitmq list for amqp/ssl on port 5671.

Create self-signed certs, following instructions from https://www.rabbitmq.com/ssl.html#automated-certificate-generation.

git clone https://github.com/michaelklishin/tls-gen tls-gen
cd tls-gen/basic/
make PASSWORD=apassword
make verify
make info

If your server's private key was created with a passphrase (see PASSWORD=apassword above), you'll want to strip that.

cd results
openssl rsa -in server_key.pem -out server_key.pem
# then enter the passphrase apassword

Back in the root of your project, create a directory to map to rabbitmq container

cd ../../
mkdir certs
cp tls-gen/basic/results/ca_certificate.pem certs/
cp tls-gen/basic/results/server_certificate.pem certs/
cp tls-gen/basic/results/server_key.pem certs/

Update docker-compose.yml

  rabbitmq:
    image: rabbitmq:3.8-management
    environment:
      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
      - RABBITMQ_PORT_MANAGEMENT=15671
      - RABBITMQ_MANAGEMENT_SSL_CACERTFILE=/var/lib/rabbitmq_certs/ca_certificate.pem
      - RABBITMQ_MANAGEMENT_SSL_CERTFILE=/var/lib/rabbitmq_certs/server_certificate.pem
      - RABBITMQ_MANAGEMENT_SSL_FAIL_IF_NO_PEER_CERT=false
      - RABBITMQ_MANAGEMENT_SSL_KEYFILE=/var/lib/rabbitmq_certs/server_key.pem
      - RABBITMQ_SSL_CACERTFILE=/var/lib/rabbitmq_certs/ca_certificate.pem
      - RABBITMQ_SSL_CERTFILE=/var/lib/rabbitmq_certs/server_certificate.pem
      - RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT=false
      - RABBITMQ_SSL_KEYFILE=/var/lib/rabbitmq_certs/server_key.pem
    volumes:
      - amqpdata:/var/lib/rabbitmq
      - ${PWD}/certs:/var/lib/rabbitmq_certs
    ports:
      - "15671:15671"
      - "15672:15672"