"true SSLContext not available" / NoSuchAlgorithmException in Logstash 2.3.2

[PhaedrusTheGreek]

When using RabbitMQ input with ssl => true in Logstash 2.3.2 against RabbitMQ 3.6.1 , connection fails with "true SSLContext not available" / Java::JavaSecurity::NoSuchAlgorithmException.

Connecting to RabbitMQ. Settings: {:vhost=>"/", :host=>"max", :port=>5671, :user=>"user", :automatic_recovery=>true, :pass=>"pass", :timeout=>0, :heartbeat=>0, :tls=>"true", :tls_certificate_path=>"", :tls_certificate_password=>""} {:level=>:debug, :file=>"logstash/plugin_mixins/rabbitmq_connection.rb", :line=>"147", :method=>"connect"}
Using TLS/SSL version true
true SSLContext not available {:class=>"Java::JavaSecurity::NoSuchAlgorithmException", :location=>"sun.security.jca.GetInstance.getInstance(sun/security/jca/GetInstance.java:159)", :level=>:warn, :file=>"logstash/inputs/rabbitmq.rb", :line=>"180", :method=>"register"}

Strangely, this doesn't happen in Logstash 2.3.1 even though the plugin version is the same.

├ $ logstash-2.3.2/bin/plugin list --verbose | grep rabbit
logstash-input-rabbitmq (4.0.1)
logstash-output-rabbitmq (3.0.9)

├ $ logstash-2.3.1/bin/plugin list --verbose | grep rabbit
logstash-input-rabbitmq (4.0.1)
logstash-output-rabbitmq (3.0.9)

[PhaedrusTheGreek]

@andrewvc

Steps to test:

# docker pull rabbitmq
# docker run -d --hostname my-rabbit --name some-rabbit -p 15672:15672 -p 5671:5671 -v /opt/etc-rabbitmq:/etc/rabbitmq  rabbitmq:3-management

where /opt/etc-rabbitmq contains: rabbitmq.config:

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/etc/rabbitmq/cacert.pem"},
                    {certfile,"/etc/rabbitmq/servercert.pem"},
                    {keyfile,"/etc/rabbitmq/serverkey.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

and also the given cert files (you're on your own)

Next, mozey into the admin interface http://localhost:15672/ and:

• Add the user called index with password index, set permission to the / virtualhost.
• Add the queue called logstash.queue

Configure logstash to test:

# Pull from rabbitmq queues
input {
        rabbitmq {
                host => "max"
                user => "index"
                ssl => true
                port => 5671
                password => "index"
                queue => "logstash.queue"
                key => "logstash.queue"
                durable => true
                threads => 1
                prefetch_count => 1000
        }
}
output {
 stdout {
        codec => rubydebug
 }
}

[andrewvc]

@PhaedrusTheGreek this will be fixed in https://github.com/logstash-plugins/logstash-mixin-rabbitmq_connection/pull/22

[dkiser]

@andrewvc this bit me earlier today....running logstash 2.3.1 with the following versions installed

logstash-input-rabbitmq-4.0.1 logstash-mixin-rabbitmq_connection-2.4.0

I see new 5.x versions on rubygems, but these are only for logstash 5.x right? Any idea if this will be fixed for 2.3.X or what a workaround would be?

[andrewvc]

My mistake. I'll release a 2.3.x version ASAP

On Fri, May 13, 2016 at 12:33 AM, Domingo Kiser notifications@github.com wrote:

@andrewvc https://github.com/andrewvc this bit me earlier today....running logstash 2.3.1 with the following versions installed

logstash-input-rabbitmq-4.0.1 logstash-mixin-rabbitmq_connection-2.4.0

I see new 5.x versions on rubygems, but these are only for logstash 5.x right? Any idea if this will be fixed for 2.3.X or what a workaround would be?

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/logstash-plugins/logstash-input-rabbitmq/issues/82#issuecomment-218955853

[dkiser]

@andrewvc nice! in theory i should be able to do a plugin update afterwards and update my settings to the new types and be GTG. I was getting a file not found error when i had SSL on via "TLSv1.1" due to the tls_certifciate_path key being in the rabbitmq_settings bag.

error after realizing I needed a version string instead of 'true'

Using TLS/SSL version TLSv1.2
No such file or directory -  {:class=>"Errno::ENOENT", :location=>"org/jruby/RubyFile.java:370:in `initialize'", :level=>:warn, :file=>"logstash/inputs/rabbitmq.rb", :line=>"180", :method=>"register"}
Connecting to RabbitMQ. Settings: {:vhost=>"services", :host=>"localhost", :port=>5672, :user=>"guest", :automatic_recovery=>true, :pass=>"guest", :timeout=>0, :heartbeat=>0, :tls=>"TLSv1.2", :tls_certificate_path=>"", :tls_certificate_password=>""} {:level=>:debug, :file=>"logstash/plugin_mixins/rabbitmq_connection.rb", :line=>"147", :method=>"connect"}

original code in the mixin i had

s[:tls_certificate_path] = @tls_certificate_path || ""

monkey patch workaround

s[:tls_certificate_path] = @tls_certificate_path if @tls_certificate_path

The new mixin should fix all this right?

[PhaedrusTheGreek]

Also as a workaround, you can set ssl => “TLSv1.2" instead of ssl => true, but if you apply the workaround, it will break when the fix is applied, so be sure to set it back to ssl => true when you upgrade.

[dkiser]

@PhaedrusTheGreek that workaround didn't work for me due to the tls_certificate_path problem posted above. The workaound that did work for me was manually installing compatible versions of logstash-input-rabbitmq and logstash-mixin-rabbitmq_connection after removing the originally installed versions from the gemfile lock in the Logstash distro. Plugin updates would never work for me due to rubygems trying to install version 5.x of logstash-input-rabbitmq.

What worked for me was the following, specifically choosing 4.1.0 as the logstash-input-rabbitmq plugin, otherwise it only found 5.0.1.

# TODO: rip this thing out when new rmq plugin code has been pushed to
#       upstream rubygems.org per
#       https://github.com/logstash-plugins/logstash-input-rabbitmq/pull/86
#       AND https://github.com/elastic/logstash/blob/2.3/Gemfile.jruby-1.9.lock
#       no longer locks in the old versions.
RUN logstash-plugin uninstall logstash-input-rabbitmq \
        && logstash-plugin uninstall logstash-output-rabbitmq \
        && logstash-plugin install --version 4.1.0 logstash-input-rabbitmq

[andrewvc]

Thanks for posting the update @dkiser it is much appreciated :) Sorry the workaround didn't work as I'd thought.