Bug #1946374 “rabbitmq tls support needs tweaks for rabbitmq 3.9...” : Bugs : tripleo

Revision history for this message

Michele Baldessari (michele) wrote on 2021-10-07:

#1

Fixed by https://review.opendev.org/c/openstack/tripleo-heat-templates/+/812390 and https://review.opendev.org/c/openstack/puppet-tripleo/+/812401

OpenStack Infra (hudson-openstack) on 2021-10-07

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-08: Related fix proposed to puppet-tripleo (master)

#2

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/813260

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-11: Related fix merged to puppet-tripleo (master)

#3

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/813260
Committed: https://opendev.org/openstack/puppet-tripleo/commit/fdca31a2009a0aaf3f3ee9c5e30083ac59bf067f
Submitter: "Zuul (22348)"
Branch: master

commit fdca31a2009a0aaf3f3ee9c5e30083ac59bf067f
Author: Michele Baldessari <email address hidden>
Date: Fri Oct 8 23:25:38 2021 +0200

Bind mount the IPA crt when internal_tls is enabled

In order for later reviews to make use of the FreeIPA internal
CA we need to first bind mount it within the container.

    We need to add a default in the hiera definition (/etc/ipa/ca.crt)
    in order to break a cyclic dependency on the subsequent patches.
    (THT child change will set the rabbitmq::ssl_cacert key)

Related-Bug: #1946374
Change-Id: Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-11: Related fix merged to tripleo-heat-templates (master)

#4

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/812390
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/b5ae7f846719fd0b04d12d2bffd383df99e5c34b
Submitter: "Zuul (22348)"
Branch: master

commit b5ae7f846719fd0b04d12d2bffd383df99e5c34b
Author: Michele Baldessari <email address hidden>
Date: Mon Oct 4 17:42:33 2021 +0200

Switch to rabbitmq fqdn hostnames and pass proper CA info

    With this change we make sure that the 'RABBITMQ_NODENAME' is the fqdn
    and that we use it when connecting to the node itself via rabbitmqctl.
    We also make sure we set the CA to the one defined in the InternalTLSCAFile
    template parameter.

Testing protocol is described in the parent change
("I4f853de3b532b3b5e71d29aa621a2925c3885393")

Related-Bug: #1946374

Depends-On: Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
Change-Id: I621557a037fbedc5c110f905dbe19290cc92b772

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-11: Fix merged to puppet-tripleo (master)

#5

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/812401
Committed: https://opendev.org/openstack/puppet-tripleo/commit/1a42b83b40ee6f44b795f5ec222aa26c6eb8a4ed
Submitter: "Zuul (22348)"
Branch: master

commit 1a42b83b40ee6f44b795f5ec222aa26c6eb8a4ed
Author: Michele Baldessari <email address hidden>
Date: Mon Oct 4 21:33:40 2021 +0200

Modernize rabbitmq's TLS support

    The depend-on change switches rabbit's nodename to FQDN and adds
    the CA in the config. This puppet change does the following:
    1. Switches the default tls versions to 1.2 and 1.3
    2. Drops the old hard-coded cipher list that used to be needed to avoid
       falling back to tls 1.0
    3. Introduce a verify_peer_{client,server} parameter. The former is set
       to verify_peer by default, so that rabbitmq 3.9 does not emit
       warnings (see original LP description)
    4. Splits off all erlang ssl parameters to a separate file called
       /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner
       and not all configurable items are supported by erlang as command
       line arguments. (In particular the ssl versions)
    5. Make sure we pass the custom CA inside the HA bundle (this had to
       be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
       (Bind mount the IPA crt when internal_tls is enabled) for CI to pass
       on all reviews.

    Tested as follows:
    A. Deployed and run tempest against a TLS-E overcloud that uses as
       rabbitmq 3.9 + erlang 24.1 stack
    B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672
       and 25672

    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New
    00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70
    New, (NONE), Cipher is (NONE)

    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Closes-Bug: #1946374

Co-Authored-By: John Eckersberg <email address hidden>

Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772

Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393

Reviewed:  https://review.opendev.org/c/openstack/puppet-tripleo/+/812401
Committed: https://opendev.org/openstack/puppet-tripleo/commit/1a42b83b40ee6f44b795f5ec222aa26c6eb8a4ed
Submitter: "Zuul (22348)"
Branch:    master

commit 1a42b83b40ee6f44b795f5ec222aa26c6eb8a4ed
Author: Michele Baldessari <michele@acksyn.org>
Date:   Mon Oct 4 21:33:40 2021 +0200

Modernize rabbitmq's TLS support
    
    The depend-on change switches rabbit's nodename to FQDN and adds
    the CA in the config. This puppet change does the following:
    1. Switches the default tls versions to 1.2 and 1.3
    2. Drops the old hard-coded cipher list that used to be needed to avoid
       falling back to tls 1.0
    3. Introduce a verify_peer_{client,server} parameter. The former is set
       to verify_peer by default, so that rabbitmq 3.9 does not emit
       warnings (see original LP description)
    4. Splits off all erlang ssl parameters to a separate file called
       /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner
       and not all configurable items are supported by erlang as command
       line arguments. (In particular the ssl versions)
    5. Make sure we pass the custom CA inside the HA bundle (this had to
       be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
       (Bind mount the IPA crt when internal_tls is enabled) for CI to pass
       on all reviews.
    
    Tested as follows:
    A. Deployed and run tempest against a TLS-E overcloud that uses as
       rabbitmq 3.9 + erlang 24.1 stack
    B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672
       and 25672
    
    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New
    00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70
    New, (NONE), Cipher is (NONE)
    
    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    
    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    
    Closes-Bug: #1946374
    
    Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
    
    Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772
    
    Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-12: Related fix proposed to puppet-tripleo (stable/wallaby)

#6

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/813572

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-12: Related fix proposed to tripleo-heat-templates (stable/wallaby)

#7

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/813573

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-12: Fix proposed to puppet-tripleo (stable/wallaby)

#8

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/813558

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-12: Related fix merged to puppet-tripleo (stable/wallaby)

#9

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/813572
Committed: https://opendev.org/openstack/puppet-tripleo/commit/28135309d9b8eae604d3a5116866a625621e65a7
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 28135309d9b8eae604d3a5116866a625621e65a7
Author: Michele Baldessari <email address hidden>
Date: Fri Oct 8 23:25:38 2021 +0200

Bind mount the IPA crt when internal_tls is enabled

In order for later reviews to make use of the FreeIPA internal
CA we need to first bind mount it within the container.

    We need to add a default in the hiera definition (/etc/ipa/ca.crt)
    in order to break a cyclic dependency on the subsequent patches.
    (THT child change will set the rabbitmq::ssl_cacert key)

    Related-Bug: #1946374
    Change-Id: Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
    (cherry picked from commit fdca31a2009a0aaf3f3ee9c5e30083ac59bf067f)

tags:

added: in-stable-wallaby

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-12: Related fix merged to tripleo-heat-templates (stable/wallaby)

#10

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/813573
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/ff3589786926992e0b822779f3c96b7d4e6c5cae
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit ff3589786926992e0b822779f3c96b7d4e6c5cae
Author: Michele Baldessari <email address hidden>
Date: Mon Oct 4 17:42:33 2021 +0200

Switch to rabbitmq fqdn hostnames and pass proper CA info

    With this change we make sure that the 'RABBITMQ_NODENAME' is the fqdn
    and that we use it when connecting to the node itself via rabbitmqctl.
    We also make sure we set the CA to the one defined in the InternalTLSCAFile
    template parameter.

Testing protocol is described in the parent change
("I4f853de3b532b3b5e71d29aa621a2925c3885393")

Related-Bug: #1946374

    Depends-On: Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
    Change-Id: I621557a037fbedc5c110f905dbe19290cc92b772
    (cherry picked from commit b5ae7f846719fd0b04d12d2bffd383df99e5c34b)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-12: Fix merged to puppet-tripleo (stable/wallaby)

#11

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/813558
Committed: https://opendev.org/openstack/puppet-tripleo/commit/7892097e8fa13e2b07390a7152449cd3b7c704f2
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 7892097e8fa13e2b07390a7152449cd3b7c704f2
Author: Michele Baldessari <email address hidden>
Date: Mon Oct 4 21:33:40 2021 +0200

Modernize rabbitmq's TLS support

    The depend-on change switches rabbit's nodename to FQDN and adds
    the CA in the config. This puppet change does the following:
    1. Switches the default tls versions to 1.2 and 1.3
    2. Drops the old hard-coded cipher list that used to be needed to avoid
       falling back to tls 1.0
    3. Introduce a verify_peer_{client,server} parameter. The former is set
       to verify_peer by default, so that rabbitmq 3.9 does not emit
       warnings (see original LP description)
    4. Splits off all erlang ssl parameters to a separate file called
       /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner
       and not all configurable items are supported by erlang as command
       line arguments. (In particular the ssl versions)
    5. Make sure we pass the custom CA inside the HA bundle (this had to
       be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
       (Bind mount the IPA crt when internal_tls is enabled) for CI to pass
       on all reviews.

    Tested as follows:
    A. Deployed and run tempest against a TLS-E overcloud that uses as
       rabbitmq 3.9 + erlang 24.1 stack
    B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672
       and 25672

    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New
    00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70
    New, (NONE), Cipher is (NONE)

    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Closes-Bug: #1946374

Co-Authored-By: John Eckersberg <email address hidden>

Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772

Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393

Reviewed:  https://review.opendev.org/c/openstack/puppet-tripleo/+/813558
Committed: https://opendev.org/openstack/puppet-tripleo/commit/7892097e8fa13e2b07390a7152449cd3b7c704f2
Submitter: "Zuul (22348)"
Branch:    stable/wallaby

commit 7892097e8fa13e2b07390a7152449cd3b7c704f2
Author: Michele Baldessari <michele@acksyn.org>
Date:   Mon Oct 4 21:33:40 2021 +0200

Modernize rabbitmq's TLS support
    
    The depend-on change switches rabbit's nodename to FQDN and adds
    the CA in the config. This puppet change does the following:
    1. Switches the default tls versions to 1.2 and 1.3
    2. Drops the old hard-coded cipher list that used to be needed to avoid
       falling back to tls 1.0
    3. Introduce a verify_peer_{client,server} parameter. The former is set
       to verify_peer by default, so that rabbitmq 3.9 does not emit
       warnings (see original LP description)
    4. Splits off all erlang ssl parameters to a separate file called
       /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner
       and not all configurable items are supported by erlang as command
       line arguments. (In particular the ssl versions)
    5. Make sure we pass the custom CA inside the HA bundle (this had to
       be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
       (Bind mount the IPA crt when internal_tls is enabled) for CI to pass
       on all reviews.
    
    Tested as follows:
    A. Deployed and run tempest against a TLS-E overcloud that uses as
       rabbitmq 3.9 + erlang 24.1 stack
    B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672
       and 25672
    
    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New
    00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70
    New, (NONE), Cipher is (NONE)
    
    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    
    [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New
    depth=1 O = HOME.ARPA, CN = Certificate Authority
    verify return:1
    depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
    verify return:1
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    
    Closes-Bug: #1946374
    
    Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
    
    Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772
    
    Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-18: Fix included in openstack/puppet-tripleo 16.0.0

#12

This issue was fixed in the openstack/puppet-tripleo 16.0.0 release.

tripleo

rabbitmq tls support needs tweaks for rabbitmq 3.9

Bug Description

Other bug subscribers

Remote bug watches