rabbitmq_auth_mechanism_ssl plugin login request default to guest user

[shifty21]

Hi,

RabbitMQ version - 3.8.9
Running in docker

I am fairly new to rabbitmq and was trying to switch my rabbitmq authentication from custom-http-backend to ssl-authentication.
I have followed the https://www.rabbitmq.com/ssl.html and generated the certificates with hashicorp's vault.

I have tried with rabbit_auth_backend_internal auth_backend. The user is able to log in but the request log in rabbitmq shows the user as guest. Even though I have set ssl config to get name from common_name from client certificate.

rabbitmq log

2021-01-17 19:01:21.984 [info] <0.877.0> accepting AMQP connection <0.877.0> (172.19.0.1:60394 -> 172.19.0.3:5671)
2021-01-17 19:01:22.002 [info] <0.877.0> connection <0.877.0> (172.19.0.1:60394 -> 172.19.0.3:5671): user 'guest' authenticated and granted access to vhost '/'
2021-01-17 19:02:37.617 [warning] <0.877.0> closing AMQP connection <0.877.0> (172.19.0.1:60394 -> 172.19.0.3:5671, vhost: '/', user: 'guest'):

Available connections list output and openssl client certificate subject

root@4edda5f28f42:/home/certificates/client# rabbitmqctl list_connections peer_cert_subject
Listing connections ...
peer_cert_subject
CN=ssltest
abhishekchoudhary@Abhisheks-MacBook-Air client % openssl x509 -noout -in client.crt -subject
subject= /CN=ssltest

Configuration

auth_mechanisms.1 = EXTERNAL
auth_backends.1 = rabbit_auth_backend_internal
auth_mechanisms.2 = PLAIN
listeners.ssl.default = 5671
ssl_options.cacertfile = /home/certificates/Combined_CA.crt
ssl_options.certfile = /home/certificates/server/server.crt
ssl_options.keyfile = /home/certificates/server/server.pem
ssl_options.verify = verify_peer
ssl_cert_login_from = common_name
ssl_options.fail_if_no_peer_cert = true
loopback_users = none

Enabled plugins

• rabbitmq_prometheus
• rabbitmq_auth_mechanism_ssl
• rabbitmq_management
• rabbitmq_web_dispatch
• rabbitmq_management_agent

If I remove loopback_users config then as expected it gives an error that guest is only allowed to login via localhost. Although the request should be of ssltest user.

I expected the user to be ssltest but no matter what I try its still comes as guest in logs.
I have created ssltest, CN=ssltest user with permission to ssltest host.

Any help appreciated. Thanks!

[michaelklishin]

You still have

auth_mechanisms.2 = PLAIN

enabled. If earlier mechanisms or backends refuse authentication, the latter will be tried. Modern versions log a reasonable amount of information at debug level. Enable it and see what's really going on.

[michaelklishin]

RabbitMQ only supports certificates in the PEM format. The file name should not matter in theory but we have no details on how the certificates were generated. Besides sharing log at debug level, consider reproducing using tls-gen. Our team uses it for certificate generation in tests and development.

[michaelklishin]

This was discussed in our community Slack. Looks like the client library used does not support the EXTERNAL authentication mechanism.