更新证书后,RabbitMQ 铲除带有不匹配的 TLS 错误
RabbitMQ Shovel over TLS errors with badmatch after renewing certificates
我的 RabbitMQ 安装已经 运行 使用 TLS 连接的铲子安装了一年多。铲子使用自签名证书,直到它们过期。当我重新创建新证书时,即使我将证书、密钥和 CA 证书放在与以前相同的位置,铲子仍然无法工作。
我得到的错误是这样的(来自 rabbit@hostname-sasl.log - 长行已经 "continued" 与 \ ):
=SUPERVISOR REPORT==== 31-Jul-2019::15:52:59 ===
Supervisor: {<0.879.0>,rabbit_shovel_dyn_worker_sup}
Context: child_terminated
Reason: {{badmatch,{error,closed}},
[{rabbit_shovel_worker,make_conn_and_chan,1,
[{file,"src/rabbit_shovel_worker.erl"},{line,236}]},
{rabbit_shovel_worker,handle_cast,2,
[{file,"src/rabbit_shovel_worker.erl"},{line,62}]},
{gen_server2,handle_msg,2,
[{file,"src/gen_server2.erl"},{line,1049}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,240}]}]}
Offender: [{pid,<0.14768.3>},
{name,{<<"/">>,<<"Pull Light Data">>}},
{mfargs,
{rabbit_shovel_worker,start_link,
[dynamic,
{<<"/">>,<<"Pull Light Data">>},
[{<<"src-uri">>,
<<"amqps://TLS_user:MWP3wCHKMNqGbnJrwKN3@source:5673 \
?cacertfile=/etc/pki/rmqca/source_rmq_cacert.pem \
&certfile=/etc/pki/rmqclient/source_client_cert.pem \
&keyfile=/etc/pki/rmqclient/source_client_key.pem \
&verify=verify_peer&server_name_indication=source">>},
{<<"src-exchange">>,<<"Data.E.source">>},
{<<"src-exchange-key">>,<<"#">>},
{<<"dest-uri">>,
<<"amqps://TLS_user:MWP3wCHKMNqGbnJrwKN3@destination:5673 \
?cacertfile=/etc/pki/rmqca/destination_rmq_cacert.pem \
&certfile=/etc/pki/rmqclient/destination_client_cert.pem \
&keyfile=/etc/pki/rmqclient/destination_client_key.pem \
&verify=verify_peer&server_name_indication=rdestination">>},
{<<"dest-exchange">>,<<"Data.E.destination">>},
{<<"add-forward-headers">>,false},
{<<"ack-mode">>,<<"on-confirm">>},
{<<"delete-after">>,<<"never">>}]]}},
{restart_type,{transient,1}},
{shutdown,4294967295},
{child_type,worker}]
我的 RMQ 状态:
Status of node 'rabbit@destination' ...
[{pid,11710},
{running_applications,
[{rabbitmq_shovel_management,"Shovel Status","3.6.1"},
{rabbitmq_shovel,"Data Shovel for RabbitMQ","3.6.1"},
{rabbitmq_management,"RabbitMQ Management Console","3.6.1"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.6.1"},
{rabbit,"RabbitMQ","3.6.1"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.6.1"},
{webmachine,"webmachine","1.10.3"},
{mochiweb,"MochiMedia Web Server","2.13.0"},
{amqp_client,"RabbitMQ AMQP Client","3.6.1"},
{xmerl,"XML parser","1.3.9"},
{rabbit_common,[],"3.6.1"},
{compiler,"ERTS CXC 138 10","6.0.2"},
{ssl,"Erlang/OTP SSL application","7.2"},
{public_key,"Public key infrastructure","1.1"},
{crypto,"CRYPTO","3.6.2"},
{os_mon,"CPO CXC 138 46","2.4"},
{mnesia,"MNESIA CXC 138 12","4.13.2"},
{ranch,"Socket acceptor pool for TCP protocols.","1.2.1"},
{asn1,"The Erlang ASN1 compiler version 4.0.1","4.0.1"},
{inets,"INETS CXC 138 49","6.1"},
{syntax_tools,"Syntax tools","1.7"},
{sasl,"SASL CXC 138 11","2.6.1"},
{stdlib,"ERTS CXC 138 10","2.7"},
{kernel,"ERTS CXC 138 10","4.1.1"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang/OTP 18 [erts-7.2] [source] [64-bit] [smp:4:4] [async-threads:64] [hipe] [kernel-poll:true]\n"},
{memory,
[{total,102477624},
{connection_readers,978264},
{connection_writers,214256},
{connection_channels,252872},
{connection_other,1444608},
{queue_procs,4690544},
{queue_slave_procs,0},
{plugins,805496},
{other_proc,21533200},
{mnesia,496176},
{mgmt_db,2570432},
{msg_index,979048},
{other_ets,2654936},
{binary,30328624},
{code,27425521},
{atom,992409},
{other_system,7111238}]},
{alarms,[]},
{listeners,
[{clustering,25672,"::"},
{amqp,5672,"0.0.0.0"},
{'amqp/ssl',5673,"0.0.0.0"}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,1661373644},
{disk_free_limit,50000000},
{disk_free,1504694272},
{file_descriptors,
[{total_limit,924},
{total_used,112},
{sockets_limit,829},
{sockets_used,37}]},
{processes,[{limit,1048576},{used,814}]},
{run_queue,0},
{uptime,3664},
{kernel,{net_ticktime,60}}]
问题原来是 RabbitMQ 服务本身的错误配置。配置文件 /etc/rabbitmq/rabbitmq.config 有一个 SSL 部分:
%% Configuring SSL.
%% See http://www.rabbitmq.com/ssl.html for full documentation.
%%
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{ssl_options, [{cacertfile, "/etc/pki/rmq_cacert.pem"},
{certfile, "/etc/pki/rmqserver/server_cert.pem"},
{keyfile, "/etc/pki/rmqserver/server_key.pem"},
{versions, ['tlsv1.2', 'tlsv1.1']},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
注意 cacertfile (/etc/pki/rmq_cacert.pem) 的行。这是 my 安装的错误位置:我有一个名为 rmqca 的目录用于 CA 证书(遵循此约定,站点端我的服务器证书位于 rmqserver/,我的客户端证书位于在 rmqclient/ 中)。新行是:
{ssl_options, [{cacertfile, "/etc/pki/rmqca/rmq_cacert.pem"},
服务重启后一切正常。
感谢大家的观看。我希望这个答案可以帮助其他人解决这个神秘的错误消息。
我的 RabbitMQ 安装已经 运行 使用 TLS 连接的铲子安装了一年多。铲子使用自签名证书,直到它们过期。当我重新创建新证书时,即使我将证书、密钥和 CA 证书放在与以前相同的位置,铲子仍然无法工作。 我得到的错误是这样的(来自 rabbit@hostname-sasl.log - 长行已经 "continued" 与 \ ):
=SUPERVISOR REPORT==== 31-Jul-2019::15:52:59 ===
Supervisor: {<0.879.0>,rabbit_shovel_dyn_worker_sup}
Context: child_terminated
Reason: {{badmatch,{error,closed}},
[{rabbit_shovel_worker,make_conn_and_chan,1,
[{file,"src/rabbit_shovel_worker.erl"},{line,236}]},
{rabbit_shovel_worker,handle_cast,2,
[{file,"src/rabbit_shovel_worker.erl"},{line,62}]},
{gen_server2,handle_msg,2,
[{file,"src/gen_server2.erl"},{line,1049}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,240}]}]}
Offender: [{pid,<0.14768.3>},
{name,{<<"/">>,<<"Pull Light Data">>}},
{mfargs,
{rabbit_shovel_worker,start_link,
[dynamic,
{<<"/">>,<<"Pull Light Data">>},
[{<<"src-uri">>,
<<"amqps://TLS_user:MWP3wCHKMNqGbnJrwKN3@source:5673 \
?cacertfile=/etc/pki/rmqca/source_rmq_cacert.pem \
&certfile=/etc/pki/rmqclient/source_client_cert.pem \
&keyfile=/etc/pki/rmqclient/source_client_key.pem \
&verify=verify_peer&server_name_indication=source">>},
{<<"src-exchange">>,<<"Data.E.source">>},
{<<"src-exchange-key">>,<<"#">>},
{<<"dest-uri">>,
<<"amqps://TLS_user:MWP3wCHKMNqGbnJrwKN3@destination:5673 \
?cacertfile=/etc/pki/rmqca/destination_rmq_cacert.pem \
&certfile=/etc/pki/rmqclient/destination_client_cert.pem \
&keyfile=/etc/pki/rmqclient/destination_client_key.pem \
&verify=verify_peer&server_name_indication=rdestination">>},
{<<"dest-exchange">>,<<"Data.E.destination">>},
{<<"add-forward-headers">>,false},
{<<"ack-mode">>,<<"on-confirm">>},
{<<"delete-after">>,<<"never">>}]]}},
{restart_type,{transient,1}},
{shutdown,4294967295},
{child_type,worker}]
我的 RMQ 状态:
Status of node 'rabbit@destination' ...
[{pid,11710},
{running_applications,
[{rabbitmq_shovel_management,"Shovel Status","3.6.1"},
{rabbitmq_shovel,"Data Shovel for RabbitMQ","3.6.1"},
{rabbitmq_management,"RabbitMQ Management Console","3.6.1"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.6.1"},
{rabbit,"RabbitMQ","3.6.1"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.6.1"},
{webmachine,"webmachine","1.10.3"},
{mochiweb,"MochiMedia Web Server","2.13.0"},
{amqp_client,"RabbitMQ AMQP Client","3.6.1"},
{xmerl,"XML parser","1.3.9"},
{rabbit_common,[],"3.6.1"},
{compiler,"ERTS CXC 138 10","6.0.2"},
{ssl,"Erlang/OTP SSL application","7.2"},
{public_key,"Public key infrastructure","1.1"},
{crypto,"CRYPTO","3.6.2"},
{os_mon,"CPO CXC 138 46","2.4"},
{mnesia,"MNESIA CXC 138 12","4.13.2"},
{ranch,"Socket acceptor pool for TCP protocols.","1.2.1"},
{asn1,"The Erlang ASN1 compiler version 4.0.1","4.0.1"},
{inets,"INETS CXC 138 49","6.1"},
{syntax_tools,"Syntax tools","1.7"},
{sasl,"SASL CXC 138 11","2.6.1"},
{stdlib,"ERTS CXC 138 10","2.7"},
{kernel,"ERTS CXC 138 10","4.1.1"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang/OTP 18 [erts-7.2] [source] [64-bit] [smp:4:4] [async-threads:64] [hipe] [kernel-poll:true]\n"},
{memory,
[{total,102477624},
{connection_readers,978264},
{connection_writers,214256},
{connection_channels,252872},
{connection_other,1444608},
{queue_procs,4690544},
{queue_slave_procs,0},
{plugins,805496},
{other_proc,21533200},
{mnesia,496176},
{mgmt_db,2570432},
{msg_index,979048},
{other_ets,2654936},
{binary,30328624},
{code,27425521},
{atom,992409},
{other_system,7111238}]},
{alarms,[]},
{listeners,
[{clustering,25672,"::"},
{amqp,5672,"0.0.0.0"},
{'amqp/ssl',5673,"0.0.0.0"}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,1661373644},
{disk_free_limit,50000000},
{disk_free,1504694272},
{file_descriptors,
[{total_limit,924},
{total_used,112},
{sockets_limit,829},
{sockets_used,37}]},
{processes,[{limit,1048576},{used,814}]},
{run_queue,0},
{uptime,3664},
{kernel,{net_ticktime,60}}]
问题原来是 RabbitMQ 服务本身的错误配置。配置文件 /etc/rabbitmq/rabbitmq.config 有一个 SSL 部分:
%% Configuring SSL.
%% See http://www.rabbitmq.com/ssl.html for full documentation.
%%
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{ssl_options, [{cacertfile, "/etc/pki/rmq_cacert.pem"},
{certfile, "/etc/pki/rmqserver/server_cert.pem"},
{keyfile, "/etc/pki/rmqserver/server_key.pem"},
{versions, ['tlsv1.2', 'tlsv1.1']},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
注意 cacertfile (/etc/pki/rmq_cacert.pem) 的行。这是 my 安装的错误位置:我有一个名为 rmqca 的目录用于 CA 证书(遵循此约定,站点端我的服务器证书位于 rmqserver/,我的客户端证书位于在 rmqclient/ 中)。新行是:
{ssl_options, [{cacertfile, "/etc/pki/rmqca/rmq_cacert.pem"},
服务重启后一切正常。
感谢大家的观看。我希望这个答案可以帮助其他人解决这个神秘的错误消息。