Rabbitmq Connection Error: javax.net.ssl.SSLHandshakeException: Invalid ECDH ServerKeyExchange signature

We have a 7 node test rabbitmq cluster. One of the rabbitmq users reported that they were getting “javax.net.ssl.SSLHandshakeException: Invalid ECDH ServerKeyExchange signature” error while connecting to Rabbitmq. We checked logs and also checked application up time. Rabbitmq servers hadn’t been restarted for the past 25 days. Also, we didn’t observe any errors in logs related to vhost used by client. We also checked if the certificate is expired and it was not. We got reasonably confident that it was not our issue and asked to check from client side.

As day progressed, we got complaints from two other client application teams. One of them uses php and other uses java. At this point, we started suspecting rabbitmq. Also, one team with multiple consumers told us that they are facing issue only with few of the consumers. With this information, we felt that issue could be with few of the nodes and not complete cluster. One of the blogs on the internet suggested that this error could occur if the certificate is created from different key file than that was configured in rabbitmq.conf file. So, we checked timestamps of certificate file and key file. Both were different and key file’s timestamp is recent one and matching with issue reported time. We quickly checked bash history and saw a command to generate new TLS key.

To resolve issue, we copied old key file from other nodes.

Hard Lesson Learnt: No rabbitmq node restart required if we certificates and related keys are change.

Related Post