{options,incompatible,[{verify,verify_peer},{cacerts,undefined}]} error

[inazarov-vox]

I'm trying to connect exchanges from two different clusters via federation_plugin. But I'm encountering un unexpected error. One cluster is running on ec2s with SSL enabled outside k8s (upstream). And one cluster is inside k8s(downstream) deployed with rabbitmq-cluster-operator SSL disabled. No matter what settings I'm trying to use I get that error {options,incompatible,[{verify,verify_peer},{cacerts,undefined}]} though I have verify = verify_none on downstream. Upstream doesn't get my messages and also no logs there at all.

My federation URI is amqps://user:[pass]@upstream.com:5672

UPSTREAM SSL settings:

listeners.ssl.default = 0.0.0.0:5671
listeners.ssl.other_port = 0.0.0.0:5672
num_acceptors.tcp = 10
num_acceptors.ssl = 5
ssl_options.cacertfile = /etc/ssl/private/certs/wildcard_chain.pem
ssl_options.certfile   = /etc/ssl/private/certs/wildcard_cert.pem
ssl_options.keyfile    = /etc/ssl/private/certs/wildcard_key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.2

DOWNSTREAM SSL settings:

ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false

Shouldn't I just get certs from upstream and establish amqps connections since it has ssl_options.fail_if_no_peer_cert = false? What do I have to do to make it work?

openssl s_client -connect upstream.com:5672 from a rabbitmq pod establishes a sucessful connection so not a certs problem.

[lukebakken]

Hello,

In general, TLS questions do not receive community support from Team RabbitMQ. Please see the community support policy.

In your case, you should be able to provide a docker compose or similar project to reproduce this issue. Right now you're asking us to guess at what the issue is, with minimal information. If you provide such a project, I'll take the time to investigate.

Finally, Federation links do NOT pick up TLS/SSL options from the configuration settings you provide. Under the hood, Federation uses the AMQP 0.9.1 Erlang client to communicate, which means you have these options to configure TLS settings

• Via the Federation link URI (https://www.rabbitmq.com/docs/uri-spec#the-amqps-uri-scheme)
• Via the advanced.config file (https://www.rabbitmq.com/client-libraries/erlang-client-user-guide - "TLS options can also be specified globally using the ssl_options environment key for the amqp_client application."

[inazarov-vox]

Thanks for the answer. The problem was solved. I suppose the error message should be more clear either the default value should be verify = none. On the older versions which I have on most of setups the default setting for that was
amqp_client.ssl_options.verify = verify_none and I never even bothered about that. And this error message appeared as a message related for that ssl configuration block wich lead to a big confussion. Anyway, big thanks for help.

[mkuratczyk]

Erlang/OTP 26 changed the default to secure: https://www.erlang.org/blog/otp-26-highlights/#ssl-safer-defaults
We mention this in our release notes.