Bug 1484547 - TLS for Internal services for RabbitMQ
Summary: TLS for Internal services for RabbitMQ
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 12.0 (Pike)
Assignee: John Eckersberg
QA Contact: Artem Hrechanychenko
URL:
Whiteboard:
Depends On: 1484499 1484506 1484512 1484517 1484520 1484521 1484524 1484531 1484535 1484542 1484601 1486759 1486766 1510144
Blocks: 1484550
TreeView+ depends on / blocked
 
Reported: 2017-08-23 20:21 UTC by atelang
Modified: 2021-12-10 15:25 UTC (History)
38 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.4-0.20171108052223.6ae90da.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1484542
: 1484550 (view as bug list)
Environment:
Last Closed: 2017-12-13 21:55:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 498325 0 None MERGED Rabbitmq: Enable Erlang distribution TLS 2020-12-08 22:19:53 UTC
Red Hat Issue Tracker OSP-11315 0 None None None 2021-12-10 15:25:10 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Comment 8 John Eckersberg 2017-08-29 12:45:48 UTC 
Upstream PR for puppet-rabbitmq - https://github.com/voxpupuli/puppet-rabbitmq/pull/574
Comment 9 John Eckersberg 2017-09-13 14:11:41 UTC 
This is merged upstream and pulled into RDO, just needs to wait on next downstream sync.
Comment 16 Artem Hrechanychenko 2017-11-27 16:17:43 UTC 
openstack-tripleo-heat-templates-7.0.3-13.el7ost.noarch

 sudo cat /var/log/pacemaker/bundles/rabbitmq-bundle-0/rabbitmq/rabbit |grep SSL
‎started SSL Listener on 172.17.1.18:5672
‎

[heat-admin@overcloud-controller-0 ~]$ openssl s_client -connect overcloud-controller-0.internalapi.redhat.local:5672
CONNECTED(00000003)
depth=1 O = REDHAT.LOCAL, CN = Certificate Authority
verify return:1
depth=0 O = REDHAT.LOCAL, CN = overcloud-controller-0.internalapi.redhat.local
verify return:1
---
Certificate chain
 0 s:/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
   i:/O=REDHAT.LOCAL/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIBFjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzEx
MjcxNTIzNTBaFw0xOTExMjgxNTIzNTBaMFExFTATBgNVBAoMDFJFREhBVC5MT0NB
TDE4MDYGA1UEAwwvb3ZlcmNsb3VkLWNvbnRyb2xsZXItMC5pbnRlcm5hbGFwaS5y
ZWRoYXQubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyqmJK
W1jXzfKx3ltZswDaDdBE3dPDnkiSPvWuWyKfWPLBoNTtutO7rdw7mYlo2wTMCTV+
rjaOMsm7mApLby0bDBKSMhKU4uxHd1QHKoWYaG9MsX7wwz5G3Q90tHTX5yRgSFpZ
OfugczJgm50WNIfoQTU1rEuktLeBJsICa2o8KwT77jspwnVsiSBZU+AKMQFLL9Xp
5fJxanGQINQKWOqV7FNHzb1NqUoWbqwrbtihG7wGILvLwi02EvK45gR4fW0cqbJu
9Q7D7nETKoVtxcHn9FYH6lBlNCwF4JfvypygiuAUfYGf+sMrle5kmNpY3hCwEQav
9Ju9WDlfADz9yGphAgMBAAGjggIoMIICJDAfBgNVHSMEGDAWgBQIMIhuYSdXuoR8
Z5k1RRi4HYLeoTA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9p
cGEtY2EucmVkaGF0LmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRw
Oi8vaXBhLWNhLnJlZGhhdC5sb2NhbC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFN9VbnOe3MR0mXyLGzE/z3IUGg+sMIH5BgNVHREEgfEwge6C
L292ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2Fs
oFUGCisGAQQBgjcUAgOgRwxFcmFiYml0bXEvb3ZlcmNsb3VkLWNvbnRyb2xsZXIt
MC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoGQGBisGAQUC
AqBaMFigDhsMUkVESEFULkxPQ0FMoUYwRKADAgEBoT0wOxsIcmFiYml0bXEbL292
ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0G
CSqGSIb3DQEBCwUAA4IBAQBl6LaEiB+8ny2T5KxkzFnFsT/JUq9lMSLhT0MVhLpj
aLHwyV2ObW3vttPfKJWdkKRQhi21xUojHvbZ7ZIhZiGKIu3qrNi9R9DJheey4W4C
Qw6OkFt2cQVkGdJgKfFiFTLw5Q6cXlZiINZVTGLu8J1lLUcaYYzk73BkMbDSbJ4Y
FvNMepweRKPqQv/0NUcu03gSRHlFb3M55A5ZQRomQLaIL3Tu5XcR7MQaFvd2Klsj
Fvgx239w+0XhRXSsvNKDMhcMlOlwGmrdNEj/lzZ9gWM2wZkDp/bNhFn2iCbmssr0
014pU3FGNm3KzF7tfY1+lOkz9CmG82LW932kRdsc3zZq
-----END CERTIFICATE-----
subject=/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
issuer=/O=REDHAT.LOCAL/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1834 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2FD55EBE050F1B913A78F7B533BCEADAF01FB6C0BAD0FFA678F79F7F2729A4E4
    Session-ID-ctx: 
    Master-Key: 60D705D3CFDD6D7FF94EC455FB7CAC6F88E8CBC3611E5B92CFAB80086E2E9913AF8DF1A0B3A6858AFABB230DE29BFE8E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1511799122
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Comment 17 Artem Hrechanychenko 2017-11-27 16:26:18 UTC 
VERIFIED
Comment 20 errata-xmlrpc 2017-12-13 21:55:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462
Note You need to log in before you can comment on or make changes to this bug.