[rabbitmq-discuss] RabbitMQ Federation & SSL

Eric Cozzi n16483 at cray.com
Fri May 24 22:55:07 BST 2013


Simon,

Again, thank you for your continued help. I have made progress, but I'm 
hitting another problem.

I'm trying to establish federation between two brokers (one happens to 
be clustered, but the second cluster node is currently down) using 
passwordless-SSH using a LDAP authentication backend. If I disable 
external auth, I can get the federation clients to connect. Once I 
enable external auth, I get the following error. Any ideas?

=ERROR REPORT==== 24-May-2013::16:34:44 ===
** Generic server <0.2696.0> terminating
** Last message in was {'$gen_cast',maybe_go}
** When Server state == {not_started,
                          {{upstream,
                            {amqp_params_network,<<"guest">>,<<"guest">>,
<<"/">>,"ecozzi-02",undefined,0,0,0,infinity,
                             [{fail_if_no_peer_cert,true},
                              {verify,verify_peer},
                              {keyfile,"/opt/cray/ssl/client-01/key.pem"},
                              {certfile,"/opt/cray/ssl/client-01/cert.pem"},
                              
{cacertfile,"/opt/cray/ssl/testca/cacert.pem"}],
                             [#Fun<amqp_uri.7.123484526>,
                              #Fun<amqp_uri.7.123484526>],
                             [],[]},
<<"amqps://ecozzi-02?cacertfile=/opt/cray/ssl/testca/cacert.pem&certfile=/opt/cray/ssl/client-01/cert.pem&keyfile=/opt/cray/ssl/client-01/key.pem&verify=verify_peer&fail_if_no_peer_cert=true">>,
                            {exchange,
                             {resource,<<"/">>,exchange,<<"cray.topic">>},
                             topic,true,false,false,[],
                             [{federation,
                               
[{{<<"ecozzi-02">>,<<"cray.topic">>},<<"A">>}]}],
                             [{vhost,<<"/">>},
                              {name,<<"federate-me">>},
                              {pattern,<<"^cray.">>},
                              {definition,
                               [{<<"federation-upstream-set">>,<<"all">>}]},
                              {priority,0}]},
                            1000,1,1,none,none,true,none,<<"ecozzi-02">>},
                           {resource,<<"/">>,exchange,<<"cray.topic">>}}}
** Reason for termination ==
** {{{case_clause,
          {badrpc,
              {'EXIT',
                  {{badarg,{error,noSuchObject}},
                   
[{rabbit_access_control,'-check_vhost_access/2-fun-0-',3,[]},
                    {rabbit_access_control,check_access,5,[]},
                    {rabbit_direct,connect,5,[]},
                    {rpc,local_call,3,[{file,"rpc.erl"},{line,327}]},
                    {amqp_direct_connection,connect,4,[]},
                    {amqp_gen_connection,handle_call,3,[]},
                    {gen_server,handle_msg,5,
                        [{file,"gen_server.erl"},{line,588}]},
                    {proc_lib,init_p_do_apply,3,
                        [{file,"proc_lib.erl"},{line,227}]}]}}}},
      [{amqp_direct_connection,connect,4,[]},
       {amqp_gen_connection,handle_call,3,[]},
       {gen_server,handle_msg,5,[{file,"gen_server.erl"},{line,588}]},
       {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]},
     {gen_server,call,[<0.2699.0>,connect,infinity]}}

Eric

On 05/24/2013 08:51 AM, Eric Cozzi wrote:
> A-ha! That's exactly what I was missing. Thanks!
>
> Eric
>
> On 05/24/2013 05:02 AM, Simon MacMullen wrote:
>> Hi. Are you setting the various SSL options in the URIs? See 
>> http://www.rabbitmq.com/shovel.html#uris for the URI format. 
>> Federation uses the AMQP client, which doesn't get its SSL options 
>> from the configuration file.
>>
>> Cheers, Simon
>>
>> On 23/05/13 21:28, Eric Cozzi wrote:
>>> I am having an issue configuring Federation and passwordless-ssl login.
>>> Federation is using https. Seems if I enable the ssl config option
>>> {fail_if_no_peer_cert,true}, peer brokers get a SSL connection error
>>> when trying to establish the Federation. Even though I'm setting my SSL
>>> keys and certs in the rabbitmq config, I'm guessing that Federation
>>> isn't using the configured certs? Is there a way to configure the 
>>> client
>>> and CA cert's to use with Federation?
>>>
>>> Eric
>>>
>>> Below is my (simplified) configuration.
>>>
>>> [
>>>    {rabbit,
>>>      [
>>>        {hipe_compile, true},
>>>        {tcp_listen_options,
>>>          [binary,
>>>            {packet,raw},
>>>            {reuseaddr,true},
>>>            {backlog,128},
>>>            {nodelay,true},
>>>            {exit_on_close,false}
>>>          ]
>>>        },
>>>        {ssl_listeners, [5671]},
>>>        {ssl_options, [{cacertfile,"/opt/cray/ssl/testca/cacert.pem"},
>>>                       {certfile,"/opt/cray/ssl/server-01/cert.pem"},
>>>                       {keyfile,"/opt/cray/ssl/server-01/key.pem"},
>>>                       {verify,verify_peer},
>>>                       {fail_if_no_peer_cert,false}
>>>                      ]
>>>        }
>>>      ]
>>>    }
>>> ].
>>>
>>> _______________________________________________
>>> rabbitmq-discuss mailing list
>>> rabbitmq-discuss at lists.rabbitmq.com
>>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>


More information about the rabbitmq-discuss mailing list