tripleo

rabbitmq_wait_bundle fails with tls everywhere

Bug #1988578 reported by Cristian Le
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
New
Undecided
Unassigned

Bug Description

Issues observed:
```
attempted to contact: ['<email address hidden>']

<email address hidden>:
  * connected to epmd (port 4369) on controller-0.internalapi.openstack.lab
  * epmd reports node 'rabbit' uses port 25672 for inter-node and CLI tool traffic
  * TCP connection succeeded but Erlang distribution failed
  * suggestion: check if the Erlang cookie is identical for all server nodes and CLI tools
  * suggestion: check if all server nodes and CLI tools use consistent hostnames when addressing each other
  * suggestion: check if inter-node connections may be configured to use TLS. If so, all nodes and CLI tools must do that
   * suggestion: see the CLI, clustering and networking guides on https://rabbitmq.com/documentation.html to learn more

Current node details:
 * node name: '<email address hidden>'
 * effective user's home directory: /var/lib/rabbitmq
 * Erlang cookie hash: 1xqFdVcqzTUaFcPMx3776g==
Error: /Stage[main]/Tripleo::Profile::Pacemaker::Rabbitmq_bundle/Rabbitmq_policy[ha-all@/]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/sbin/rabbitmqctl set_policy -p / --priority 0 --apply-to queues ha-all ^(?!amq\.).* {"ha-mode":"exactl
y","ha-params":1,"ha-promote-on-shutdown":"always"}' returned 69: Error: unable to perform an operation on node '<email address hidden>'. Please see diagnostics information and suggestions below.
```

/var/log/container/rabbitmq shows issues of:
```
2022-09-02 14:27:45.921882+00:00 [notice] <0.996.0> TLS server: In state hello at tls_record.erl:564 generated SERVER ALERT: Fatal - Unexpected Message
2022-09-02 14:27:45.921882+00:00 [notice] <0.996.0> - {unsupported_record_type,0}
2022-09-02 14:27:45.930729+00:00 [notice] <0.1000.0> TLS server: In state hello at tls_record.erl:564 generated SERVER ALERT: Fatal - Unexpected Message
2022-09-02 14:27:45.930729+00:00 [notice] <0.1000.0> - {unsupported_record_type,0}
2022-09-02 14:27:50.600426+00:00 [notice] <0.1027.0> TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Expired
2022-09-02 14:27:50.600426+00:00 [notice] <0.1027.0>
2022-09-02 14:27:50.619942+00:00 [notice] <0.1031.0> TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Expired
2022-09-02 14:27:50.619942+00:00 [notice] <0.1031.0>
```

See original description
Cristian Le (lecris)
description: updated
Revision history for this message
Cristian Le (lecris) wrote :

I have found the cause of the issue:

In `/etc/ipa/ca.crt`, if you have an expired (intermediate) CA certificate (probably higher in the chain) with the same name as your current (intermediate) CA certificate, it seems to be using the expired one. This the certificate expired is referring to the CA certificate being expired, not the client.

I am not sure if this is to be fixed upstream on rabbitmq, or a fail-safe copy only relevant non-expired certificates should be implemented here. It does not affect anything else but rabbitmq, but it might be a good fail-safe.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.