rabbit_auth_backend_http authentication not working with ssl_cert_login_from

[ghost]

While using http based authentication along with ssl certificate login, client is not able to connect to broker. The broker throws:

** Reason for termination ==
** {function_clause,
[{amqp_gen_connection,terminate,[{
{case_clause,{badrpc,{'EXIT',{{badmatch,undefined},
[{rabbit_auth_backend_http,p,1,[{file,"src/rabbit_auth_backend_http.erl"},{line,150}]},
{rabbit_auth_backend_http,user_login_authentication,2,[{file,"src/rabbit_auth_backend_http.erl"},{line,42}]},
{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,88}]},
{rabbit_access_control,'-check_user_login/2-fun-0-',4,[{file,"src/rabbit_access_control.erl"},{line,74}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},
{rabbit_direct,connect,5,[{file,"src/rabbit_direct.erl"},{line,101}]},{rpc,local_call,3,[{file,"rpc.erl"},{line,321}]},
{amqp_direct_connection,connect,4,[{file,"src/amqp_direct_connection.erl"},{line,151}]}]}}}},[{amqp_direct_connection,connect,4,[{file,"src/amqp_direct_connection.erl"},{line,151}]},{amqp_gen_connection,handle_call,3,[{file,"src/amqp_gen_connection.erl"},{line,171}]},{gen_server,try_handle_call,4,[{file,...},...]},...]},...],...},...]}

for the config file:

[{rabbit, 
  [{ssl_cert_login_from, common_name},
  {auth_mechanisms, ['EXTERNAL']},
  {tcp_listeners,    [5672]},
  {loopback_users, []},
  {ssl_options, [{cacertfile, "/opt/Root.crt"},
                                 {certfile,   "/opt/server.crt"},
                                 {keyfile,    "/opt/server.key"},
                                 {verify,     verify_peer},
                                 {fail_if_no_peer_cert, true}]},
                                 {auth_backends, [rabbit_auth_backend_http]}

]},
{rabbitmq_auth_backend_http, [
      {http_method,          post },
      {user_path,     "http://localhost:8080/auth/user"},
    {vhost_path,    "http://localhost:8080/auth/vhost"},
    {resource_path, "http://localhost:8080/auth/resource"},
      {topic_path, "https://localhost:8080/auth/topic"}
      ]},
 {rabbitmq_mqtt, [{vhost,            "/"},
                  {exchange,         "amq.topic"},
                  {subscription_ttl, 1800000},
                  {prefetch,         10},
                  %%{ssl_listeners,    []},
                  %% Default MQTT with TLS port is 8883
                  {ssl_listeners,    [8443]},
                  {tcp_listeners,    [1883]},{ssl_cert_login, true},
                  {tcp_listen_options, [{backlog,   128},
                                        {nodelay,   true}]}]}].

The configured urls are from the example bundled in the project.

[michaelklishin]

Thank you for your time.

Team RabbitMQ uses GitHub issues for specific actionable items engineers can work on. GitHub issues are not used for questions, investigations, root cause analysis, discussions of potential issues, etc (as defined by this team).

We get at least a dozen of questions through various venues every single day, often light on details. At that rate GitHub issues can very quickly turn into a something impossible to navigate and make sense of even for our team. Because GitHub is a tool our team uses heavily nearly every day, the signal/noise ratio of issues is something we care about a lot.

Please post this to rabbitmq-users.

Thank you.

[michaelklishin]

This plugin is not meant to work with ssl_cert_login_from. That's a key that rabbitmq-auth-mechanism-ssl supports and some other plugins use because it makes sense in their context.

[michaelklishin]

See this rabbitmq-users thread. x509 certificate authentication may or may not make sense in combination with authN backend plugins.

We don't know what the goal is here => this is mailing list material.

[michaelklishin]

The stack trace says that rabbitmq_auth_backend_http.user_path is undefined.

Make sure that your config file is loaded and effective configuration is what you expect. I see no evidence of rabbitmq-auth-mechanism-ssl having any impact on this.