Improve error message when certificate is not whitelisted via rabbitmq_trust_store plugin

[mgrafl]

Is your feature request related to a problem? Please describe.

When using the rabbitmq_trust_store plugin, connection attempts for which the certificate has not been whitelisted fail with messages "certificate not whitelisted" or "CA not known AND certificate not whitelisted" and no further info about the user that tried to authenticate or about the offending certificate.

This makes it hard to troubleshoot such cases via the server logs and you can only rely on reports from clients for which the connection attempt failed.

Describe the solution you'd like

Include the certificate subject (and, if available, the issuer) in the error message, e.g.,

certificate not whitelisted, subject: 'CN=unknown-user,O=ACME,[...]'

CA not known AND certificate not whitelisted, subject: 'CN=unknown-user,o=ACME,[...]', issuer: 'CN=SERVER ROOT CA,o=ACME,[...]'

Describe alternatives you've considered

An alternative on the server side might be to increase overall log verbosity for all connection attempts to see if client certificates are logged at any point. But that would negatively impact overall performance and server log size.

Additional context

I'll gladly provide the PR if this feature is deemed useful.

[michaelklishin]

The trend in the industry is arguably to log less such details, not more.

[mgrafl]

But how can I figure out which users are not whitelisted?
My scenario is that some clients repeatedly try to connect as they are aware that the rabbitmq_trust_store plugin via HTTP has a poll interval and the rabbitmq-server simply might not have retrieved the latest certificate whitelist.
The clients don't know whether their certificates will ever be whitelisted, so they retry indefinitely.

At a certain scale, this spams the server log with "certificate not whitelisted" messages but without any option for me to figure out, which clients need to be shut down for good (or to be blocked by other means).

[michaelklishin]

@mgrafl your clients behavior (reconnecting indefinitely, producing a lot of log noise) is not RabbitMQ's problem.

I do not object to some kind of logging to help narrow down missing certificates but like I said, the trend in the industry is to log less client identifying data, not more.

I will take a look at what the trust store plugin could log to help.

[michaelklishin]

#15889 includes a [failure path] log message that includes

• Certificate fingerprint
• Issuer
• Validity