OpenStack-Ansible

RabbitMQ cannot read the SSL private key

Bug #1506992 reported by Major Hayden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Major Hayden
OpenStack-Ansible 12.0.0
Kilo
Fix Released
Low
Major Hayden
OpenStack-Ansible 11.2.4
Trunk
Fix Released
Low
Major Hayden
OpenStack-Ansible 12.0.0

Bug Description

When SSL is enabled with RabbitMQ, it can't read its own private key due to directory permissions. Error from RabbitMQ:

Error on AMQP connection <0.405.0>:
{ssl_upgrade_error,{options,{keyfile,"/etc/ssl/private/rabbitmq.key",
                                     {error,eacces}}}}

The directory permissions are too restrictive to allow the rabbitmq user to access the files in /etc/ssl/private:

rabbitmq@aio1_rabbit_mq_container-21a2a80d:~$ ls -al /etc/ssl
total 44
drwxr-xr-x 4 root root 4096 Jun 12 13:46 .
drwxr-xr-x 73 root root 4096 Oct 16 05:31 ..
drwxr-xr-x 2 root root 20480 Oct 16 05:30 certs
-rw-r--r-- 1 root root 10835 Apr 7 2014 openssl.cnf
drwx--S--- 2 root root 4096 Oct 16 05:30 private

Changing the ownership of /etc/ssl/private or adjusting its permissions doesn't sound like a great idea. Would it make sense to store the certificate and key within /etc/rabbitmq and make both owned and readable by the RabbitMQ user?

Tags: in-kilo
Major Hayden (rackerhacker)
Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/236061

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/236061
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=5ea3dba04e44dfc970eab6225b6b26d3fb45d14d
Submitter: Jenkins
Branch: master

commit 5ea3dba04e44dfc970eab6225b6b26d3fb45d14d
Author: Major Hayden <email address hidden>
Date: Fri Oct 16 14:19:18 2015 -0500

    Store RabbitMQ cert/key in config dir

    Storing rabbit's private key in /etc/ssl/private causes problems since that
    directory (and the files within it) can only be accessed by root on Ubuntu
    systems. Storing the key within the RabbitMQ configuration directory would
    allow the key to be read by the 'rabbitmq' user.

    The key can also be set to mode 0600 as well by moving its location and
    changing it to be owned by the rabbitmq user.

    Closes-bug: 1506992

    Change-Id: Iede0748b57a86b33879d759505dd8f80476b574c

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/236728

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/236731

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/236728
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=6c669034f3af346ab3f29f1f881d873a8a1d5079
Submitter: Jenkins
Branch: kilo

commit 6c669034f3af346ab3f29f1f881d873a8a1d5079
Author: Major Hayden <email address hidden>
Date: Fri Oct 16 14:19:18 2015 -0500

    Store RabbitMQ cert/key in config dir

    Storing rabbit's private key in /etc/ssl/private causes problems since that
    directory (and the files within it) can only be accessed by root on Ubuntu
    systems. Storing the key within the RabbitMQ configuration directory would
    allow the key to be read by the 'rabbitmq' user.

    The key can also be set to mode 0600 as well by moving its location and
    changing it to be owned by the rabbitmq user.

    Closes-bug: 1506992

    Change-Id: Iede0748b57a86b33879d759505dd8f80476b574c
    (cherry picked from commit 5ea3dba04e44dfc970eab6225b6b26d3fb45d14d)

tags: added: in-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/236731
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=d7031f954de7d73a96c303aed8b6e1f4441c03b0
Submitter: Jenkins
Branch: master

commit d7031f954de7d73a96c303aed8b6e1f4441c03b0
Author: Major Hayden <email address hidden>
Date: Sun Oct 18 14:00:31 2015 -0500

    Additional RabbitMQ SSL fixes

    This patch fixes two problems with RabbitMQ's SSL/TLS listener.

    * When self-signed certificates are used, the CA cert isn't created, but it's
      included with the RabbitMQ server config anyway (bug 1507364).

    * Self-signed certificates are owned by root within RabbitMQ's configuration
      directory and are unreadable by RabbitMQ. User-provided certificates aren't
      affected (bug 1506992).

    Closes-bug: 1506992
    Closes-bug: 1507364

    Change-Id: If4f6a325eea4772f2fad4604785241b67adfaaf6

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/237431
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=79a159df84710427083a81c2c66c475c3673db0c
Submitter: Jenkins
Branch: kilo

commit 79a159df84710427083a81c2c66c475c3673db0c
Author: Major Hayden <email address hidden>
Date: Sun Oct 18 14:00:31 2015 -0500

    Additional RabbitMQ SSL fixes

    This patch fixes two problems with RabbitMQ's SSL/TLS listener.

    * When self-signed certificates are used, the CA cert isn't created, but it's
      included with the RabbitMQ server config anyway (bug 1507364).

    * Self-signed certificates are owned by root within RabbitMQ's configuration
      directory and are unreadable by RabbitMQ. User-provided certificates aren't
      affected (bug 1506992).

    Closes-bug: 1506992
    Closes-bug: 1507364

    Change-Id: If4f6a325eea4772f2fad4604785241b67adfaaf6
    (cherry picked from commit d7031f954de7d73a96c303aed8b6e1f4441c03b0)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/238900

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/239115

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/238900
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=f665acc796de676a5492d24fb916ed6de765c714
Submitter: Jenkins
Branch: master

commit f665acc796de676a5492d24fb916ed6de765c714
Author: Hugh Saunders <email address hidden>
Date: Fri Oct 23 13:18:55 2015 +0100

    Remove dir_mode from rabbit key distribution

    Setting dir_mode to 0750 prevents rabbit from reading /etc/rabbitmq as
    the owner and group are root.

    This patch removes the dir_mode paramter so that the memcahed module's
    default of 0755 is used.

    Closes-Bug #1506992

    Change-Id: I3936a6bf181e3cf3f22b712d16d9181017f949cd

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/239115
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=52a644757031ee7e65d5399611e5d020686f98f0
Submitter: Jenkins
Branch: kilo

commit 52a644757031ee7e65d5399611e5d020686f98f0
Author: Hugh Saunders <email address hidden>
Date: Fri Oct 23 13:18:55 2015 +0100

    Remove dir_mode from rabbit key distribution

    Setting dir_mode to 0750 prevents rabbit from reading /etc/rabbitmq as
    the owner and group are root.

    This patch removes the dir_mode paramter so that the memcahed module's
    default of 0755 is used.

    Closes-Bug #1506992

    Change-Id: I3936a6bf181e3cf3f22b712d16d9181017f949cd
    (cherry picked from commit f665acc796de676a5492d24fb916ed6de765c714)

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 11.2.15

This issue was fixed in the openstack/openstack-ansible 11.2.15 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.