RabbitMQ cannot read the SSL private key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Low
|
Major Hayden | ||
Kilo |
Fix Released
|
Low
|
Major Hayden | ||
Trunk |
Fix Released
|
Low
|
Major Hayden |
Bug Description
When SSL is enabled with RabbitMQ, it can't read its own private key due to directory permissions. Error from RabbitMQ:
Error on AMQP connection <0.405.0>:
{ssl_upgrade_
The directory permissions are too restrictive to allow the rabbitmq user to access the files in /etc/ssl/private:
rabbitmq@
total 44
drwxr-xr-x 4 root root 4096 Jun 12 13:46 .
drwxr-xr-x 73 root root 4096 Oct 16 05:31 ..
drwxr-xr-x 2 root root 20480 Oct 16 05:30 certs
-rw-r--r-- 1 root root 10835 Apr 7 2014 openssl.cnf
drwx--S--- 2 root root 4096 Oct 16 05:30 private
Changing the ownership of /etc/ssl/private or adjusting its permissions doesn't sound like a great idea. Would it make sense to store the certificate and key within /etc/rabbitmq and make both owned and readable by the RabbitMQ user?
Changed in openstack-ansible: | |
assignee: | nobody → Major Hayden (rackerhacker) |
Fix proposed to branch: master /review. openstack. org/236061
Review: https:/