Solving the PHP/SSL Connection to RabbitMQ Handshake Failure

I need to connect securely to RabbitMQ using a PHP client.  I configured my rabbitMQ server to support SSL connection by following the set-up guide and then successfully performed all diagnostic tests and validated that my cert/key set-up was working.

Connecting via PHP to the Rabbit service continued to fail with the following errors being reported in my rabbitMQ log file:

=ERROR REPORT==== 18-Mar-2015::07:10:02 ===
SSL: certify: ssl_connection.erl:370:Fatal error: handshake failure

=ERROR REPORT==== 18-Mar-2015::07:10:07 ===
Error on AMQP connection <0.316.0>:
{ssl_upgrade_error,{tls_alert,"handshake failure"}}

I have the following rabbitmq.config configuration to require client certs and to establish the chain of trust to the cert.  Also, I'm allowing PLAIN, AMQPLAIN and EXTERNAL authentications:

%% sets-up SSL while disabling SSLv3.0 and TLSv1.0 support
        {ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
        {rabbit, [
                  {ssl_listeners, [5671]},
                  {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
                  {ssl_options, [{cacertfile,"/etc/rabbitmq/rmqca/cacert.pem"},
                                 {versions,['tlsv1.2', 'tlsv1.1']}

Still, I was unable to get past the handshake failure which was the more frustrating because using the stunnel test, I was able to see my requests to establish a connection succeed.

Then I found this message on videlalvaro's github page where he wrote that the PHP client requires  a single key-cert file as shown in his demo file.

Once I cat'd the two files into a single file and referenced them in my code as he recommended, I was able to establish a secure connection to my broker.

# cd /etc/rabbitmq/client
# cat key.pem cert.pem > key-cert.pem

Don't forget to add pre-checks in your PHP code to ensure that all your cert files are accessible to the application's executing user.