Peer verification failed with "CLIENT ALERT: Fatal - Bad Certificate"

[yahavHalfon]

Describe the bug

Facing an issue with RabbitMQ’s Management Plugin using OAuth2. When verify_peer is enabled to validate the SSO router server certificate, OAuth2 authentication fails if the SSO router uses a full chain certificate (leaf, intermediate, root concatenated).

Certificate structure:

-----BEGIN CERTIFICATE-----
[leaf certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[intermediate CA]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[root CA]
-----END CERTIFICATE-----

Since the update, clients can’t authenticate with OAuth2. We’re seeing this error in the pods (logged even at debug):

Error observed in the pods (logged even at debug):

{:bad_certificate,
   ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2113 generated CLIENT ALERT: Fatal - Bad Certificate\n"}}

Clients receive not authorized when attempting to authenticate.

Reproduction steps

1. Enable the RabbitMQ Management Plugin with OAuth2.
2. Configure RabbitMQ to validate the SSO server certificate using verify_peer.
3. Update the SSO server certificate to a full chain certificate.
4. Attempt client authentication via OAuth2.
   ...

Expected behavior

RabbitMQ should validate the full chain certificate without errors when verify_peer is enabled, allowing OAuth2 authentication to succeed.

Additional context

• RabbitMQ versions tested: 3.13.x, 4.0.x
• Reverting to the previous certificate (signed by the same CA) works.
• Stripping the full chain certificate to just the leaf certificate also works.
• The correct CA bundle and configuration are in place.

Potential Relation to Erlang OTP:
This may be caused by an issue in the Erlang OTP version used. We found references to similar problems in the following GitHub issues:
• Erlang OTP issue #8601
• Erlang OTP issue #8588
• Swoosh issue #785

Docs:
• RabbitMQ OAuth2 Documentation

[michaelklishin]

RabbitMQ should validate the full chain certificate without errors when verify_peer is enabled

@yahavHalfon RabbitMQ does not implement peer verification, Erlang/OTP does. Peer verification is a nuanced process that has an entire RFC dedicated to it (RFC 5280). We will not guess what your certificate chain looks like, or what Erlang version is used. We do not guess in this community.

Our Community support policy explicitly states that we will not troubleshoot OAuth 2 for non-paying users. The OAuth 2 plugin source code is available to anyone to investigate what may be going on.

[michaelklishin]

Finally, RabbitMQ 4.0.x can run on the very latest Erlang 27.x. I recall at least one issue reported by our team where a certificate chain failed to load with Bad Certificate. It was addressed months ago.

[michaelklishin]

Here it is erlang/otp#8482. It only affects the certificates that have a nameConstraints x.509 extension.

Shipped in 26.2.5.1 and likely all 27.x, or at least all 27.1.x patch releases.

So the latest 26.2.x or 27.1.x release, both of which RabbitMQ 4.0.5 supports, should not be affected.

[michaelklishin]

@yahavHalfon ^^^