Panic when providing a TLS certificate and a key to a listener.

[akrizs]

When i try to run the server with TLS certificates i get an error saying

thread 'main' panicked at rmqtt-bin/src/server.rs:214:53:
removal index (is 0) should be < len (is 0)

seems to happen here

    let key_file = &mut BufReader::new(File::open(listen_cfg.key.as_ref().unwrap())?);


        let cert_chain = certs(cert_file).unwrap();
        let mut keys = rsa_private_keys(key_file).unwrap();


        let mut tls_config = if listen_cfg.cross_certificate {
            let root_chain = cert_chain.clone();
            let mut client_auth_roots = RootCertStore::empty();
            for root in root_chain {
                client_auth_roots.add(&root).unwrap();
            }
            ServerConfig::new(AllowAnyAuthenticatedClient::new(client_auth_roots))
        } else {
            ServerConfig::new(NoClientAuth::new())
        };


    >    tls_config.set_single_cert(cert_chain, keys.remove(0)).map_err(|e| MqttError::from(e.to_string()))?;


        let tls_acceptor = Acceptor::new(tls_config);

Is anyone else having a similar issue ?

The certificate has been validated and checked with openssl and the key has also been checked, it is a 4096 bit rsa key.

[akrizs]

If i disable tls listener and certificates and let it pass over to wss without panicking i get the same thing for the wss

thread 'main' panicked at rmqtt-bin/src/server.rs:437:53:
removal index (is 0) should be < len (is 0)

Line 437 Col 53

[rmqtt]

From the error message, it appears that it is a configuration problem with ‘listener.tls.external.key’. Can you post your complete configuration so I can take a look?

[akrizs]

##--------------------------------------------------------------------
## General
##--------------------------------------------------------------------

##--------------------------------------------------------------------
## Node
##--------------------------------------------------------------------
#node id
node.id = 0

##--------------------------------------------------------------------
## RPC
##--------------------------------------------------------------------
rpc.server_addr = "0.0.0.0:5363"
rpc.server_workers = 4
#Maximum number of messages sent in batch
rpc.batch_size = 128
#Client concurrent request limit
rpc.client_concurrency_limit = 128
#Connect and send to server timeout
rpc.client_timeout = "5s"


##--------------------------------------------------------------------
## Log
##--------------------------------------------------------------------
# Value: off | file | console | both
log.to = "both"
# Value: trace, debug, info, warn, error
log.level = "info"
log.dir = "/var/log/rmqtt"
log.file = "rmqtt.log"


##--------------------------------------------------------------------
## Plugins
##--------------------------------------------------------------------
#Plug in configuration file directory
plugins.dir = "/etc/rmqtt/plugins"
#Plug in started by default, when the mqtt server is started
plugins.default_startups = [
    "rmqtt-cluster-raft",
    # "rmqtt-cluster-broadcast",
    #"rmqtt-auth-http",
    "rmqtt-web-hook",
    #"rmqtt-retainer",
    "rmqtt-http-api",
]

##--------------------------------------------------------------------
## Listeners
##--------------------------------------------------------------------

##--------------------------------------------------------------------
## MQTT/TCP - External TCP Listener for MQTT Protocol
listener.tcp.external.addr = "0.0.0.0:1883"
#Number of worker threads
listener.tcp.external.workers = 8
#The maximum number of concurrent connections allowed by the listener.
listener.tcp.external.max_connections = 1024000
#Maximum concurrent handshake limit, Default: 500
listener.tcp.external.max_handshaking_limit = 500
#Handshake timeout.
listener.tcp.external.handshake_timeout = "30s"
#Maximum allowed mqtt message length. 0 means unlimited, default: 1m
listener.tcp.external.max_packet_size = "1m"
#The maximum length of the TCP connection queue.
#It indicates the maximum number of TCP connection queues that are being handshaked three times in the system
listener.tcp.external.backlog = 1024
#Whether anonymous login is allowed. Default: true
listener.tcp.external.allow_anonymous = true
#A value of zero indicates disabling the keep-alive feature, where the server
#doesn't need to disconnect due to client inactivity, default: true
listener.tcp.external.allow_zero_keepalive = true
#Minimum allowable keepalive value for mqtt connection,
#less than this value will reject the connection(MQTT V3),
#less than this value will set keepalive to this value in CONNACK (MQTT V5),
#default: 0, unit: seconds
listener.tcp.external.min_keepalive = 0
#Maximum allowable keepalive value for mqtt connection,
#greater than this value will reject the connection(MQTT V3),
#greater than this value will set keepalive to this value in CONNACK (MQTT V5),
#default value: 65535, unit: seconds
listener.tcp.external.max_keepalive = 65535
# > 0.5, Keepalive * backoff * 2
listener.tcp.external.keepalive_backoff = 0.75
#Flight window size. The flight window is used to store the unanswered QoS 1 and QoS 2 messages
listener.tcp.external.max_inflight = 16
#Maximum length of message queue
listener.tcp.external.max_mqueue_len = 1000
#The rate at which messages are ejected from the message queue,
#default value: "u32::max_value(),1s"
listener.tcp.external.mqueue_rate_limit = "1000,1s"
#Maximum length of client ID allowed, Default: 65535
listener.tcp.external.max_clientid_len = 65535
#The maximum QoS level that clients are allowed to publish. default value: 2
listener.tcp.external.max_qos_allowed = 2
#The maximum level at which clients are allowed to subscribe to topics.
#0 means unlimited. default value: 0
listener.tcp.external.max_topic_levels = 0
#Whether support retain message, true/false, default value: true
listener.tcp.external.retain_available = true
#Session timeout, default value: 2 hours
listener.tcp.external.session_expiry_interval = "2h"
#QoS 1/2 message retry interval, 0 means no resend
listener.tcp.external.message_retry_interval = "20s"
#Message expiration time, 0 means no expiration
listener.tcp.external.message_expiry_interval = "5m"
#The maximum number of topics that a single client is allowed to subscribe to
#0 means unlimited, default value: 0
listener.tcp.external.max_subscriptions = 0
#Shared subscription switch, default value: true
listener.tcp.external.shared_subscription = true
#topic alias maximum, default value: 0, topic aliases not enabled. (MQTT 5.0)
listener.tcp.external.max_topic_aliases = 32

##--------------------------------------------------------------------
## Internal TCP Listener for MQTT Protocol
listener.tcp.internal.enable = true
listener.tcp.internal.addr = "0.0.0.0:11883"
listener.tcp.internal.workers = 4
listener.tcp.internal.max_connections = 102400
listener.tcp.internal.max_handshaking_limit = 500
listener.tcp.internal.handshake_timeout = "30s"
listener.tcp.internal.max_packet_size = "1M"
listener.tcp.internal.backlog = 512
listener.tcp.internal.allow_anonymous = true
listener.tcp.internal.allow_zero_keepalive = true
listener.tcp.internal.min_keepalive = 0
listener.tcp.internal.max_keepalive = 65535
listener.tcp.internal.keepalive_backoff = 0.75
listener.tcp.internal.max_inflight = 16
listener.tcp.internal.max_mqueue_len = 1000
listener.tcp.internal.mqueue_rate_limit = "1000,1s"
listener.tcp.internal.max_clientid_len = 65535
listener.tcp.internal.max_qos_allowed = 2
listener.tcp.internal.max_topic_levels = 0
listener.tcp.internal.retain_available = true
listener.tcp.internal.session_expiry_interval = "2h"
listener.tcp.internal.message_retry_interval = "30s"
listener.tcp.internal.message_expiry_interval = "5m"
listener.tcp.internal.max_subscriptions = 0
listener.tcp.internal.shared_subscription = true
listener.tcp.internal.max_topic_aliases = 0

##--------------------------------------------------------------------
## MQTT/TLS - External TLS Listener for MQTT Protocol
listener.tls.external.addr = "0.0.0.0:8883"
# listener.tls.external.cross_certificate = true
# listener.tls.external.cert = "/etc/rmqtt/certificates/RMQTT.fullchain.pem"
listener.tls.external.cross_certificate = false
listener.tls.external.cert = "/etc/rmqtt/certificates/RMQTT.pem"
listener.tls.external.key = "/etc/rmqtt/certificates/RMQTT.key"

##--------------------------------------------------------------------
## MQTT/WebSocket - External WebSocket Listener for MQTT Protocol
listener.ws.external.addr = "0.0.0.0:8080"

##--------------------------------------------------------------------
## MQTT/TLS-WebSocket - External TLS-WebSocket Listener for MQTT Protocol
listener.wss.external.addr = "0.0.0.0:8443"
# listener.wss.external.cross_certificate = true
# listener.wss.external.cert = "/etc/rmqtt/certificates/RMQTT.fullchain.pem"
listener.wss.external.cross_certificate = false
listener.wss.external.cert = "/etc/rmqtt/certificates/RMQTT.pem"
listener.wss.external.key = "/etc/rmqtt/certificates/RMQTT.key"

This is the config as it was when those errors occurred, when i commented out/disabled the listener.tls.external blocks then the same error came up when starting up the listener.wss.external, so to continue my work i had to disable listener.wss.external as well.

I have verified and the certificates and keys are in the correct position and can be read by the runtime user running the application.

[rmqtt]

It should be that the '/etc/rmqtt/certificates/RMQTT.key' file format is wrong. I configured the key as 'rmqtt-bin/rmqtt.key' in the project, which is correct. If you must enable the TLS function, it is recommended to use the 'key' and 'cert' in the project to debug the connection correctly, and then replace it with the 'key' and 'cert' generated by yourself. If tls functionality is not needed, disable it.

[rmqtt]

You can try using 'https://github.com/rmqtt/rmqtt/blob/master/rmqtt-bin/gen_x509.sh' to generate your own 'key' and 'cert'

[akrizs]

Wait what!,, changing out the certs worked,, but why,, the certificates and keys are generated and validated using openssl, what could be the difference between them ?

I'll have a look at that, these certificates work with other types of TLS servers,, i will investigate and give a feedback, the only difference i can see is that my keys are 4096 bit size and yours are 2048 bit

[rmqtt]

I changed "SERVER_RSA_KEY_BIT="rsa:2048"" and "CLIENT_RSA_KEY_BIT="rsa:2048"" in "gen_x509.sh" to 4096 and regenerated the key and cert for testing, which was also successful.

Note: Currently only TLSv1.2 is supported

---- Replied Message ---- | From | Anton @.> | | Date | 01/24/2024 00:01 | | To | @.> | | Cc | @.>@.> | | Subject | Re: [rmqtt/rmqtt] Panic when providing a TLS certificate and a key to a listener. (Issue #51) |

Wait what!,, changing out the certs worked,, but why,, the certificates and keys are generated and validated using openssl, what could be the difference between them ?

I'll have a look at that, these certificates work with other types of TLS servers,, i will investigate and give a feedback, the only difference i can see is that my keys are 4096 bit size and yours are 2048 bit

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

[akrizs]

Another question about the TLS certificates, where would i provide the server with the CA that signed the Client Certificates to validate and allow connection to the server using certificates ?