OpenStack-Ansible

Don't add CA certs to RabbitMQ config unless they exist

Bug #1507364 reported by Major Hayden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Major Hayden
OpenStack-Ansible 12.0.0
Kilo
Fix Released
Low
Major Hayden
OpenStack-Ansible 11.2.4
Trunk
Fix Released
Low
Major Hayden
OpenStack-Ansible 12.0.0

Bug Description

CA certificates aren't generated for RabbitMQ when the self-signed certificate option is used. This causes SSL connections to RabbitMQ to fail.

We should probably only set the CA certificate path in the RabbitMQ configuration file if the user has explicitly provided one.

The error looks like:

=ERROR REPORT==== 18-Oct-2015::18:48:37 ===
Error on AMQP connection <0.1884.0>:
{ssl_upgrade_error,
    {options,{cacertfile,"/etc/rabbitmq/rabbitmq-ca.pem",{error,enoent}}}}

Major Hayden (rackerhacker)
Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/236731

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/236731
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=d7031f954de7d73a96c303aed8b6e1f4441c03b0
Submitter: Jenkins
Branch: master

commit d7031f954de7d73a96c303aed8b6e1f4441c03b0
Author: Major Hayden <email address hidden>
Date: Sun Oct 18 14:00:31 2015 -0500

    Additional RabbitMQ SSL fixes

    This patch fixes two problems with RabbitMQ's SSL/TLS listener.

    * When self-signed certificates are used, the CA cert isn't created, but it's
      included with the RabbitMQ server config anyway (bug 1507364).

    * Self-signed certificates are owned by root within RabbitMQ's configuration
      directory and are unreadable by RabbitMQ. User-provided certificates aren't
      affected (bug 1506992).

    Closes-bug: 1506992
    Closes-bug: 1507364

    Change-Id: If4f6a325eea4772f2fad4604785241b67adfaaf6

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/237431
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=79a159df84710427083a81c2c66c475c3673db0c
Submitter: Jenkins
Branch: kilo

commit 79a159df84710427083a81c2c66c475c3673db0c
Author: Major Hayden <email address hidden>
Date: Sun Oct 18 14:00:31 2015 -0500

    Additional RabbitMQ SSL fixes

    This patch fixes two problems with RabbitMQ's SSL/TLS listener.

    * When self-signed certificates are used, the CA cert isn't created, but it's
      included with the RabbitMQ server config anyway (bug 1507364).

    * Self-signed certificates are owned by root within RabbitMQ's configuration
      directory and are unreadable by RabbitMQ. User-provided certificates aren't
      affected (bug 1506992).

    Closes-bug: 1506992
    Closes-bug: 1507364

    Change-Id: If4f6a325eea4772f2fad4604785241b67adfaaf6
    (cherry picked from commit d7031f954de7d73a96c303aed8b6e1f4441c03b0)

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 11.2.15

This issue was fixed in the openstack/openstack-ansible 11.2.15 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.