amqp_0_9 authentication with certificates only?

[zswanson]

Hello! I'm trying see if I can get benthos working with amqp_0_9 input against a TLS secured rabbitmq cluster that uses 'passwordless users' with x509 certs for authentication.

https://www.rabbitmq.com/passwords.html#x509-certificate-authentication

It is possible to authenticate connections using x509 certificates and avoid using passwords entirely. The authentication process then will rely on TLS peer certificate chain validation.
To do so:
Create a passwordless user (see above)
Enable the rabbitmq-auth-mechanism-ssl plugin
Follow the plugin's configuration instructions
Configure client connections to use TLS and the EXTERNAL authentication mechanism
Configure client connections to provide a certificate/key pair and a CA certificate (or chain of certificates). The chain of certificates will be verified by the server and thus at least one certificate in it must be trusted by the target node.

Is there a way to configure this correctly for amqp 0.9? I keep getting errors from benthos and my rabbit cluster that its trying to connect as a guest user, despite that I've left the user/password empty in the url and have provided the TLS cert configuration.

According to the rabbitmq docs

input:
  amqp_0_9:
    url: amqps://my.rabbitmq.cluster:5671/%2f
    queue: benthos
    tls:
      enabled: true
      enable_renegotiation: true
      skip_cert_verify: false
      root_cas_file: ./ca-bundle.pem
      client_certs:
        - key_file: ./key.pem
          cert_file: ./cert.pem

[zswanson]

Digging into the client libraries, it appears that there's been an open PR for years on the steadway/amqp module to support this type of auth, but the project maintainers seem to be in hiatus. :(

streadway/amqp#121

streadway/amqp#497

[mihaitodor]

Please do if you can. Would be great to have the one liners needed to test it and some hello world Go code which calls this AMQP lib. I’ll make sure to chase after the maintainers to get it merged.

[jonasneves-signifyd]

On the server side configuration, make sure that the plugin rabbitmq-auth-mechanism-ssl is enabled, and that EXTERNAL is one of the auth mechanisms of the option auth_mechanisms. We also enable the option "ssl_cert_login_from = common_name" because we include the username in the clients certificate, in the "common name" attribute.

Here is an example of how to generate a client certificate with your own private self-signed CA in terraform, which contains some options that are required for the authentication to work (like allowed_uses). Once the certificate is created, also make sure to have your private CA cert file included in the CA bundle file that is passed in to the attribute ssl_options.cacertfile.

resource "tls_private_key" "ca" {
  algorithm = "RSA"
  rsa_bits  = "2048"
}

resource "tls_self_signed_cert" "ca" {
  key_algorithm     = "RSA"
  private_key_pem   = tls_private_key.ca.private_key_pem
  is_ca_certificate = true

  subject {
    common_name = "rabbitmq.ca"
  }

  validity_period_hours = 43800

  allowed_uses = [
    "keyCertSign",
    "cRLSign",
  ]
}

resource "tls_private_key" "client" {
  algorithm = "RSA"
  rsa_bits  = "2048"
}

resource "tls_cert_request" "client" {
  key_algorithm   = "RSA"
  private_key_pem = tls_private_key.client.private_key_pem

  subject {
    # rabbitmq client username is included in the certificate
    common_name = "client1"
  }
}

resource "tls_locally_signed_cert" "client" {
  cert_request_pem   = tls_cert_request.client.cert_request_pem
  ca_key_algorithm   = "RSA"
  ca_private_key_pem = tls_private_key.ca.private_key_pem
  ca_cert_pem        = tls_self_signed_cert.ca.cert_pem

  validity_period_hours = 8760

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "client_auth",
  ]
}

resource "local_file" "ca_cert_pem" {
    content  = tls_self_signed_cert.ca.cert_pem
    filename = "ca-cert.pem"
}

resource "local_file" "client_cert_pem" {
    content  = tls_locally_signed_cert.client.cert_pem
    filename = "client-cert.pem"
}

resource "local_file" "client_privkey_pem" {
    content  = tls_private_key.client.private_key_pem
    filename = "client-privkey.pem"
}

Note: This example assumes the client username is "client1"

[mihaitodor]

Thank you very much @jonasoneves! I was able to validate the PR using the keys generated by your terraform snippet and I documented the steps I followed here: https://github.com/mihaitodor/amqp_tls_go_demo

[jonasneves-signifyd]

Great, I'm glad I could help!

[mihaitodor]

rabbitmq/amqp091-go#20 has been merged, so I opened #905 to make the required changes in Benthos.

[mihaitodor]

This has been implemented in #905. @jonasoneves, @zswanson would you mind having another look and let me know if you see any issues?

[zswanson]

I'll give it a spin tomorrow!

[zswanson]

Verified this morning that we get connection to rabbit with certs only, no user/password!
Thank you all for the help here!

[mihaitodor]

Awesome, thanks for testing!