Fail connect to AmazonMQ using Symfony messenger

Question

I tried to connect to AmazonMQ with amqps protocol in AmazonMQ and get this error:

NOTICE: PHP message: [error] Symfony\Component\Messenger\Exception\InvalidArgumentException
cfi-lms-api_1              | No CA certificate has been provided. Set "amqp.cacert" in your php.ini or pass the "cacert" parameter in the DSN to use SSL. Alternatively, you can use amqp:// to use without SSL.

Where I can get this certificate and how to properly work with amqps in case AmazonMQ? What path for cacert I should specify?

I tried use amqp protocol but Amazon MQ does not support it.

Answer 1

In the docs:

If you want to use TLS/SSL encrypted AMQP, you must also provide a CA certificate. Define the certificate path in the amqp.cacert PHP.ini setting (e.g. amqp.cacert = /etc/ssl/certs) or in the cacert parameter of the DSN (e.g amqps://localhost?cacert=/etc/ssl/certs/).

(at https://symfony.com/doc/current/messenger.html)

It says cacert is "Path to the CA cert file in PEM format."

You can download the file through your web browser, clicking the "locker" icon next to "https" in the url bar. For example, the ca cert for StackOverflow can be downloaded like so :

Prefer the one from the "root" tab, which is usually valid way longer (+ 10 years).

Source:

https://github.com/symfony/amqp-messenger/blob/5.4/Transport/Connection.php#L232

https://github.com/symfony/amqp-messenger/blob/4175a0a98507e7ec575dca9b36e6c0a5a072d3fd/Transport/Connection.php#L285

Answer 2

@Musa thanks for the answer! I will provide more details for somebody like me who never setup this certificate:

1. If you need work with Amazon MQ you should download the root certificate for mq.eu-central-1.amazonaws.com in pem format (see the answer from @Musa on how to do it).
2. Then you should change MESSENGER_TRANSPORT_DSN in .env file to add the new parameter cacert (see Symfony doc for more details https://symfony.com/doc/current/messenger.html#amqp-transport):

MESSENGER_TRANSPORT_DSN=amqps://username:[email protected]:5671/%2f/_messages?cacert=/path-to-root-cert/mq-eu-central-1-amazonaws-com.pem

Another possible solution is to specify Amazon Root CA 1. Every Linux distribution has this certificate (see package ca-certificates). In this case, MESSENGER_TRANSPORT_DSN must be like this:

MESSENGER_TRANSPORT_DSN=amqps://username:[email protected]:5671/%2f/_messages?cacert=/etc/ssl/certs/Amazon_Root_CA_1.pem

Answer 3

For the noobs o news with AmazonMQ/rabbitmq

Get the PEM from this url : https://www.amazontrust.com/repository/AmazonRootCA1.pem

and pass = ?cacert=/path/to/pem/Amazon_Root_CA_1.pem

I hope it helps.