rabbitmq_wait_bundle fails with tls everywhere
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
New
|
Undecided
|
Unassigned |
Bug Description
Issues observed:
```
attempted to contact: ['<email address hidden>']
<email address hidden>:
* connected to epmd (port 4369) on controller-
* epmd reports node 'rabbit' uses port 25672 for inter-node and CLI tool traffic
* TCP connection succeeded but Erlang distribution failed
* suggestion: check if the Erlang cookie is identical for all server nodes and CLI tools
* suggestion: check if all server nodes and CLI tools use consistent hostnames when addressing each other
* suggestion: check if inter-node connections may be configured to use TLS. If so, all nodes and CLI tools must do that
* suggestion: see the CLI, clustering and networking guides on https:/
Current node details:
* node name: '<email address hidden>'
* effective user's home directory: /var/lib/rabbitmq
* Erlang cookie hash: 1xqFdVcqzTUaFcP
Error: /Stage[
y","ha-
```
/var/log/
```
2022-09-02 14:27:45.
2022-09-02 14:27:45.
2022-09-02 14:27:45.
2022-09-02 14:27:45.
2022-09-02 14:27:50.
2022-09-02 14:27:50.
2022-09-02 14:27:50.
2022-09-02 14:27:50.
```
I have found the cause of the issue:
In `/etc/ipa/ca.crt`, if you have an expired (intermediate) CA certificate (probably higher in the chain) with the same name as your current (intermediate) CA certificate, it seems to be using the expired one. This the certificate expired is referring to the CA certificate being expired, not the client.
I am not sure if this is to be fixed upstream on rabbitmq, or a fail-safe copy only relevant non-expired certificates should be implemented here. It does not affect anything else but rabbitmq, but it might be a good fail-safe.