Fix TLS CA certificate not being applied to HTTP client #689

Workflow file for this run

	name: CI

	on:
	push:
	paths:
	- ".github/workflows/ci.yaml"
	- ".config/nextest.toml"
	- "src/**"
	- "tests/**"
	- "Cargo.toml"
	- "Cargo.lock"
	pull_request: {}

	env:
	RUSTFLAGS: -D warnings
	CARGO_TERM_COLOR: always
	TEST_STATS_DELAY: 5000

	jobs:
	lint:
	name: Lint
	strategy:
	matrix:
	runner:
	- "ubuntu-22.04"
	- "ubuntu-24.04"
	runs-on: ${{ matrix.runner }}

	steps:
	- uses: actions/checkout@v6
	- uses: dtolnay/rust-toolchain@stable
	with:
	components: rustfmt, clippy

	- name: Lint (clippy)
	run: cargo clippy

	- name: Lint (rustfmt)
	run: cargo fmt --all --check

	build:
	name: Non-TLS tests
	strategy:
	matrix:
	rabbitmq-series:
	- "4.0"
	- "4.1"
	- "4.2"
	rust-version:
	- stable
	- beta
	runner:
	- "ubuntu-22.04"
	- "ubuntu-24.04"
	# - "ubuntu-24.04-arm"
	runs-on: ${{ matrix.runner }}

	services:
	rabbitmq:
	image: rabbitmq:${{ matrix.rabbitmq-series }}-management
	ports:
	- 15672:15672
	- 5672:5672

	steps:
	- uses: actions/checkout@v6
	- name: Setup Rust
	uses: dtolnay/rust-toolchain@stable
	with:
	toolchain: ${{ matrix.rust-version }}

	- uses: taiki-e/install-action@nextest

	- name: Wait for node to start booting
	run: sleep 15

	- name: Configure broker
	run: RUST_HTTP_API_CLIENT_RABBITMQCTL=DOCKER:${{job.services.rabbitmq.id}} bin/ci/before_build.sh

	- name: Run tests
	run: RUST_BACKTRACE=1 NEXTEST_RETRIES=2 cargo nextest run --workspace --no-fail-fast --all-features

	tls-tests:
	name: TLS tests
	strategy:
	matrix:
	rabbitmq-series:
	- "4.0"
	- "4.1"
	- "4.2"
	rust-version:
	- stable
	runner:
	- "ubuntu-22.04"
	- "ubuntu-24.04"
	- "ubuntu-24.04-arm"
	runs-on: ${{ matrix.runner }}

	steps:
	- uses: actions/checkout@v6

	- name: Setup Rust
	uses: dtolnay/rust-toolchain@stable
	with:
	toolchain: ${{ matrix.rust-version }}

	- uses: taiki-e/install-action@nextest

	- name: Clone tls-gen
	run: git clone --depth 1 https://github.com/rabbitmq/tls-gen.git target/tls-gen

	- name: Generate TLS certificates
	run: \|
	cd target/tls-gen/basic
	make CN=localhost

	- name: Create certs directory
	run: mkdir -p tests/tls/certs

	- name: Copy certificates
	run: \|
	cp target/tls-gen/basic/result/ca_certificate.pem tests/tls/certs/
	cp target/tls-gen/basic/result/server_localhost_certificate.pem tests/tls/certs/server_certificate.pem
	cp target/tls-gen/basic/result/server_localhost_key.pem tests/tls/certs/server_key.pem
	cp target/tls-gen/basic/result/client_localhost_certificate.pem tests/tls/certs/client_certificate.pem
	cp target/tls-gen/basic/result/client_localhost_key.pem tests/tls/certs/client_key.pem
	chmod o+r tests/tls/certs/*
	chmod g+r tests/tls/certs/*

	- name: Create RabbitMQ TLS configuration
	run: \|
	cat > tests/tls/certs/rabbitmq.conf << 'EOF'
	management.ssl.port = 15671
	management.ssl.cacertfile = /certs/ca_certificate.pem
	management.ssl.certfile = /certs/server_certificate.pem
	management.ssl.keyfile = /certs/server_key.pem
	management.tcp.port = 15672
	loopback_users = none
	EOF
	sed -i 's/^[[:space:]]*//' tests/tls/certs/rabbitmq.conf
	echo "Generated config:"
	cat tests/tls/certs/rabbitmq.conf
	echo -n "rabbitmq-test-cookie" > tests/tls/certs/.erlang.cookie
	chmod 600 tests/tls/certs/.erlang.cookie

	- name: Start RabbitMQ with TLS
	run: \|
	docker run -d --name rabbitmq-tls \
	-p 15671:15671 \
	-p 15672:15672 \
	-p 5672:5672 \
	-v ${{ github.workspace }}/tests/tls/certs/.erlang.cookie:/var/lib/rabbitmq/.erlang.cookie \
	-v ${{ github.workspace }}/tests/tls/certs:/certs:ro \
	-v ${{ github.workspace }}/tests/tls/certs/rabbitmq.conf:/etc/rabbitmq/conf.d/10-tls.conf:ro \
	rabbitmq:${{ matrix.rabbitmq-series }}-management

	- name: Wait for RabbitMQ to start
	run: \|
	for i in $(seq 1 30); do
	if docker exec rabbitmq-tls rabbitmqctl await_startup --timeout 60; then
	echo "RabbitMQ is ready"
	exit 0
	fi
	echo "Waiting for container... ($i/30)"
	sleep 2
	done
	echo "RabbitMQ failed to start. Container logs:"
	docker logs rabbitmq-tls
	exit 1

	- name: Verify TLS listener
	run: \|
	docker exec rabbitmq-tls rabbitmq-diagnostics listeners
	echo "Checking if TLS port 15671 is listening..."
	docker exec rabbitmq-tls rabbitmq-diagnostics listeners \| grep -E "15671\|ssl" \|\| echo "Note: TLS listener output"

	- name: Debug TLS certificates
	run: \|
	echo "=== CA Certificate ==="
	openssl x509 -in tests/tls/certs/ca_certificate.pem -noout -subject -issuer
	echo "=== Server Certificate ==="
	openssl x509 -in tests/tls/certs/server_certificate.pem -noout -subject -issuer
	echo "=== Verify server cert against CA ==="
	openssl verify -CAfile tests/tls/certs/ca_certificate.pem tests/tls/certs/server_certificate.pem
	echo "=== Test TLS connection with curl ==="
	curl -v --cacert tests/tls/certs/ca_certificate.pem https://localhost:15671/api/overview -u guest:guest 2>&1 \| head -30 \|\| true
	echo "=== Certificate file permissions ==="
	ls -la tests/tls/certs/

	- name: Configure broker
	run: \|
	docker exec rabbitmq-tls rabbitmqctl add_vhost / \|\| true
	docker exec rabbitmq-tls rabbitmqctl add_user guest guest \|\| true
	docker exec rabbitmq-tls rabbitmqctl set_permissions -p / guest "." "." ".*"

	- name: Run TLS tests
	run: \|
	TLS_CERTS_DIR=${{ github.workspace }}/tests/tls/certs \
	RUST_BACKTRACE=1 \
	cargo nextest run -E 'binary(tls_tests)' --run-ignored=only --no-fail-fast

	- name: Stop RabbitMQ container
	if: always()
	run: docker stop rabbitmq-tls && docker rm rabbitmq-tls \|\| true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix TLS CA certificate not being applied to HTTP client #689

Workflow file

Fix TLS CA certificate not being applied to HTTP client #689

Uh oh!

Jobs

Run details

Workflow file for this run