Closed
Description
As the script does not persist ERL_SSL_PATH, RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS neither RABBITMQ_CTL_ERL_ARGS, they have to be entered in a subshell for use with rabbitmqctl
But when trying to see status, it crash with ssl related messages (which I cannot decipher)
Certificates were created following instructions from Rabbit Website
Installing the CA in the machine/container does not helps either.
Running the rabbitmq server as root, solves the issue, but is far from optimal.
I've made a script so you can watch it die 😀
#!/bin/bash
mkdir testca
cd testca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt
cat > "openssl.cnf" <<EOF
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = \$dir/cacert.pem
database = \$dir/index.txt
new_certs_dir = \$dir/certs
private_key = \$dir/private/cakey.pem
serial = \$dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
EOF
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
cd ..
ls
mkdir server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
cd ../testca
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ..
ls
cp testca/cacert.pem server/cacert.pem
CWD=$(pwd)
ID=$(docker run -d --name dyingrabbit -v $CWD/server:/usr/local/share/certificates -e RABBITMQ_ERLANG_COOKIE=muchsecret -e RABBITMQ_SSL_CERT_FILE=/usr/local/share/certificates/cert.pem -e RABBITMQ_SSL_KEY_FILE=/usr/local/share/certificates/key.pem -e RABBITMQ_SSL_CA_FILE=/usr/local/share/certificates/cacert.pem -e RABBITMQ_USE_LONGNAME=true -h my.long.host.tld rabbitmq:3-management)
sleep 5
docker logs $ID
docker exec $ID bash -c "export ERL_SSL_PATH=\"/usr/lib/erlang/lib/ssl-7.1/ebin\" && export RABBITMQ_CTL_ERL_ARGS=\"-pa '/usr/lib/erlang/lib/ssl-7.1/ebin' -proto_dist inet_tls -ssl_dist_opt server_certfile /tmp/combined.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true\" && rabbitmqctl status"
docker logs $ID
The intention is to enable a 3 machine cluster comunicating with SSL.
Metadata
Metadata
Assignees
Labels
No labels