Red Hat Bugzilla – Bug 1484547
TLS for Internal services for RabbitMQ
Last modified: 2018-05-29 12:03:29 EDT
Upstream PR for puppet-rabbitmq - https://github.com/voxpupuli/puppet-rabbitmq/pull/574
This is merged upstream and pulled into RDO, just needs to wait on next downstream sync.
openstack-tripleo-heat-templates-7.0.3-13.el7ost.noarch sudo cat /var/log/pacemaker/bundles/rabbitmq-bundle-0/rabbitmq/rabbit@overcloud-controller-0.log |grep SSL started SSL Listener on 172.17.1.18:5672 [heat-admin@overcloud-controller-0 ~]$ openssl s_client -connect overcloud-controller-0.internalapi.redhat.local:5672 CONNECTED(00000003) depth=1 O = REDHAT.LOCAL, CN = Certificate Authority verify return:1 depth=0 O = REDHAT.LOCAL, CN = overcloud-controller-0.internalapi.redhat.local verify return:1 --- Certificate chain 0 s:/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local i:/O=REDHAT.LOCAL/CN=Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFLTCCBBWgAwIBAgIBFjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzEx MjcxNTIzNTBaFw0xOTExMjgxNTIzNTBaMFExFTATBgNVBAoMDFJFREhBVC5MT0NB TDE4MDYGA1UEAwwvb3ZlcmNsb3VkLWNvbnRyb2xsZXItMC5pbnRlcm5hbGFwaS5y ZWRoYXQubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyqmJK W1jXzfKx3ltZswDaDdBE3dPDnkiSPvWuWyKfWPLBoNTtutO7rdw7mYlo2wTMCTV+ rjaOMsm7mApLby0bDBKSMhKU4uxHd1QHKoWYaG9MsX7wwz5G3Q90tHTX5yRgSFpZ OfugczJgm50WNIfoQTU1rEuktLeBJsICa2o8KwT77jspwnVsiSBZU+AKMQFLL9Xp 5fJxanGQINQKWOqV7FNHzb1NqUoWbqwrbtihG7wGILvLwi02EvK45gR4fW0cqbJu 9Q7D7nETKoVtxcHn9FYH6lBlNCwF4JfvypygiuAUfYGf+sMrle5kmNpY3hCwEQav 9Ju9WDlfADz9yGphAgMBAAGjggIoMIICJDAfBgNVHSMEGDAWgBQIMIhuYSdXuoR8 Z5k1RRi4HYLeoTA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9p cGEtY2EucmVkaGF0LmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRw Oi8vaXBhLWNhLnJlZGhhdC5sb2NhbC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkwHQYDVR0OBBYEFN9VbnOe3MR0mXyLGzE/z3IUGg+sMIH5BgNVHREEgfEwge6C L292ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2Fs oFUGCisGAQQBgjcUAgOgRwxFcmFiYml0bXEvb3ZlcmNsb3VkLWNvbnRyb2xsZXIt MC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoGQGBisGAQUC AqBaMFigDhsMUkVESEFULkxPQ0FMoUYwRKADAgEBoT0wOxsIcmFiYml0bXEbL292 ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0G CSqGSIb3DQEBCwUAA4IBAQBl6LaEiB+8ny2T5KxkzFnFsT/JUq9lMSLhT0MVhLpj aLHwyV2ObW3vttPfKJWdkKRQhi21xUojHvbZ7ZIhZiGKIu3qrNi9R9DJheey4W4C Qw6OkFt2cQVkGdJgKfFiFTLw5Q6cXlZiINZVTGLu8J1lLUcaYYzk73BkMbDSbJ4Y FvNMepweRKPqQv/0NUcu03gSRHlFb3M55A5ZQRomQLaIL3Tu5XcR7MQaFvd2Klsj Fvgx239w+0XhRXSsvNKDMhcMlOlwGmrdNEj/lzZ9gWM2wZkDp/bNhFn2iCbmssr0 014pU3FGNm3KzF7tfY1+lOkz9CmG82LW932kRdsc3zZq -----END CERTIFICATE----- subject=/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local issuer=/O=REDHAT.LOCAL/CN=Certificate Authority --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1834 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2FD55EBE050F1B913A78F7B533BCEADAF01FB6C0BAD0FFA678F79F7F2729A4E4 Session-ID-ctx: Master-Key: 60D705D3CFDD6D7FF94EC455FB7CAC6F88E8CBC3611E5B92CFAB80086E2E9913AF8DF1A0B3A6858AFABB230DE29BFE8E Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1511799122 Timeout : 300 (sec) Verify return code: 0 (ok) ---
VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462