Cannot Start Rabbit MQ Docker Container after enabling SSL
1,105 views
Skip to first unread message
Bj Maldonado
Nov 8, 2017, 11:26:17 AM11/8/17
to rabbitmq-users
I have a Dockerized version of Rabbit MQ
My Config looks like this:
[
{
rabbit,
[
{default_user, <<"DEFAULT_USER">>},
{default_pass, <<"DEFAULT_PASS">>},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/usr/lib/rabbitmq/etc/rabbitmq/MyCA.pem"},
{certfile, "/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem"},
{keyfile, "/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_key.pem"},
{verify, verify_none},
{fail_if_no_peer_cert, false}]},
{loopback_users, []},
{cluster_partition_handling, autoheal},
{delegate_count, 64},
{fhc_read_buffering, false},
{fhc_write_buffering, false},
{heartbeat, 60},
{queue_index_embed_msgs_below, 0},
{queue_index_max_journal_entries, 8192},
{log_levels, [{autocluster, info},
{connection, error},
{channel, warning},
{federation, info},
{mirroring, info},
{shovel, info}]},
{vm_memory_high_watermark, 0.8}
]
}
].
and my docker file like so:
FROM gavinmroy/alpine-rabbitmq-autocluster
USER root
ADD erlang.cookie /var/lib/rabbitmq/.erlang.cookieADD rabbitmq.config /usr/lib/rabbitmq/etc/rabbitmq/rabbitmq.configADD testca/cacert.pem /usr/lib/rabbitmq/etc/rabbitmq/cacert.pemADD server/cert.pem /usr/lib/rabbitmq/etc/rabbitmq/cert.pemADD server/key.pem /usr/lib/rabbitmq/etc/rabbitmq/key.pemADD start-rabbit.sh /usr/local/bin/start-rabbit.shRUN \ chown rabbitmq \ /var/lib/rabbitmq/.erlang.cookie \ /usr/lib/rabbitmq/etc/rabbitmq/ \ /usr/lib/rabbitmq/etc/rabbitmq/rabbitmq.config && \ chmod 600 /var/lib/rabbitmq/.erlang.cookie && \ chmod 755 /usr/local/bin/start-rabbit.sh
ARG VAULT_VERSION=0.6.2ARG VAULT_TMP=/tmp/vault.zipRUN \ apk add --no-cache curl unzip && \ curl -sSLo $VAULT_TMP https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ unzip -d /usr/local/bin/ $VAULT_TMP && \ rm $VAULT_TMP && \ chmod 755 /usr/local/bin/vault && \ apk --purge del unzip
USER rabbitmqENV \ AUTOCLUSTER_TYPE=aws \ AWS_AUTOSCALING=true \ AUTOCLUSTER_CLEANUP=true \ CLEANUP_WARN_ONLY=false \ AUTOCLUSTER_LOG_LEVEL=debug \ SSL_CERT_FILE=/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem \ SSL_KEY_FILE=/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_key.pem \ SSL_CA_FILE=/usr/lib/rabbitmq/etc/rabbitmq/MyCA.pem
CMD /usr/local/bin/start-rabbit.sh
We use hashicorp vault to host our rabbitmq username and password.
and rabbit starts using this:
export RABBITMQ_DEFAULT_USER=$(vault read -field=value pdr/$INTX_ENV/core/rabbitmq.username)
export RABBITMQ_DEFAULT_PASS=$(vault read -field=value pdr/$INTX_ENV/core/rabbitmq.password)
if [ -z "$RABBITMQ_DEFAULT_USER" ]; then
echo Unable to retrieve RabbitMQ username
exit 1
fi
if [ -z "$RABBITMQ_DEFAULT_PASS" ]; then
echo Unable to find RabbitMQ password
exit 1
fi
sed -i -e "s/DEFAULT_USER/$RABBITMQ_DEFAULT_USER/" -e "s/DEFAULT_PASS/$RABBITMQ_DEFAULT_PASS/" /usr/lib/rabbitmq/etc/rabbitmq/rabbitmq.config
/usr/lib/rabbitmq/sbin/rabbitmq-serverNow, this is my full set up, but I introduced SSL and BOOM it shattered. Fails with this:
Retrieving RabbitMQ cluster secrets from VaultRabbitMQ 3.6.2. Copyright (C) 2007-2016 Pivotal Software, Inc.## ## Licensed under the MPL. See http://www.rabbitmq.com/## ############ Logs: tty###### ## tty##########Starting broker...=INFO REPORT==== 8-Nov-2017::15:58:34 ===Starting RabbitMQ 3.6.2 on Erlang 18.3.2Copyright (C) 2007-2016 Pivotal Software, Inc.Licensed under the MPL. See http://www.rabbitmq.com/=INFO REPORT==== 8-Nov-2017::15:58:34 ===node : rabbit@ip-172-16-7-55home dir : /var/lib/rabbitmqconfig file(s) : /usr/lib/rabbitmq/etc/rabbitmq/rabbitmq.configcookie hash : RdOTUT7OrQVNZZr33Pw4fg==log : ttysasl log : ttydatabase dir : /var/lib/rabbitmq/mnesia=INFO REPORT==== 8-Nov-2017::15:58:37 ===autocluster: log level set to debug=INFO REPORT==== 8-Nov-2017::15:58:37 ===autocluster: Using AWS backend=INFO REPORT==== 8-Nov-2017::15:58:37 ===autocluster: Delaying startup for 3945ms.=INFO REPORT==== 8-Nov-2017::15:58:40 ===autocluster: Starting aws registration.=INFO REPORT==== 8-Nov-2017::15:58:40 ===autocluster: Setting region: "us-east-1"=INFO REPORT==== 8-Nov-2017::15:58:41 ===autocluster: Discovered ['rabbit@ip-172-16-2-146','rabbit@ip-172-16-2-58','rabbit@ip-172-16-5-54','rabbit@ip-172-16-7-55']=INFO REPORT==== 8-Nov-2017::15:58:41 ===autocluster: Joining the cluster.=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: mnesiaexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===Resetting Rabbit=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: mnesiaexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: mnesiaexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===Already member of cluster: ['rabbit@ip-172-16-7-55','rabbit@ip-172-16-5-54','rabbit@ip-172-16-2-58','rabbit@ip-172-16-2-146']=INFO REPORT==== 8-Nov-2017::15:58:41 ===autocluster: Cluster joined.=INFO REPORT==== 8-Nov-2017::15:58:41 ===Memory limit set to 5984MB of 7481MB total.=INFO REPORT==== 8-Nov-2017::15:58:41 ===Disk free limit set to 50MB=INFO REPORT==== 8-Nov-2017::15:58:41 ===Limiting to approx 130972 file handles (117872 sockets)=INFO REPORT==== 8-Nov-2017::15:58:41 ===FHC read buffering: OFFFHC write buffering: OFF=INFO REPORT==== 8-Nov-2017::15:58:41 ===Database directory at /var/lib/rabbitmq/mnesia is empty. Initialising from scratch...=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: mnesiaexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===Priority queues enabled, real BQ is rabbit_variable_queue=INFO REPORT==== 8-Nov-2017::15:58:41 ===Management plugin: using rates mode 'basic'=INFO REPORT==== 8-Nov-2017::15:58:41 ===msg_store_transient: using rabbit_msg_store_ets_index to provide index=INFO REPORT==== 8-Nov-2017::15:58:41 ===msg_store_persistent: using rabbit_msg_store_ets_index to provide index=WARNING REPORT==== 8-Nov-2017::15:58:41 ===msg_store_persistent: rebuilding indices from scratch=INFO REPORT==== 8-Nov-2017::15:58:41 ===Adding vhost '/'=INFO REPORT==== 8-Nov-2017::15:58:41 ===Creating user 'rabbit'=INFO REPORT==== 8-Nov-2017::15:58:41 ===Setting user tags for user 'rabbit' to [administrator]=INFO REPORT==== 8-Nov-2017::15:58:41 ===Setting permissions for 'rabbit' in '/' to '.*', '.*', '.*'=INFO REPORT==== 8-Nov-2017::15:58:41 ===started TCP Listener on 0.0.0.0:5672=ERROR REPORT==== 8-Nov-2017::15:58:41 ===Failed to start Ranch listener {acceptor,{0,0,0,0},5671} in ranch_ssl:listen([{port,5671},{ip,{0,0,0,0}},inet,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2','tlsv1.1',tlsv1]},{cacertfile,"/usr/lib/rabbitmq/etc/rabbitmq/MyCA.pem"},{certfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem"},{keyfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_key.pem"},{verify,verify_none},{fail_if_no_peer_cert,false}]) for reason {options,{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{dhe_dss,aes_128_cbc,sha256},{rsa,aes_128_gcm,null,sha256},{rsa,aes_128_cbc,sha256},{ecdhe_ecdsa,aes_256_cbc,sha},{ecdhe_rsa,aes_256_cbc,sha},{dhe_rsa,aes_256_cbc,sha},{dhe_dss,aes_256_cbc,sha},{ecdh_ecdsa,aes_256_cbc,sha},{ecdh_rsa,aes_256_cbc,sha},{rsa,aes_256_cbc,sha},{ecdhe_ecdsa,'3des_ede_cbc',sha},{ecdhe_rsa,'3des_ede_cbc',sha},{dhe_rsa,'3des_ede_cbc',sha},{dhe_dss,'3des_ede_cbc',sha},{ecdh_ecdsa,'3des_ede_cbc',sha},{ecdh_rsa,'3des_ede_cbc',sha},{rsa,'3des_ede_cbc',sha},{ecdhe_ecdsa,aes_128_cbc,sha},{ecdhe_rsa,aes_128_cbc,sha},{dhe_rsa,aes_128_cbc,sha},{dhe_dss,aes_128_cbc,sha},{ecdh_ecdsa,aes_128_cbc,sha},{ecdh_rsa,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot_ssl,1,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot,0,[{file,"src/rabbit_networking.erl"},{line,134}]},{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,[{file,"src/rabbit_boot_steps.erl"},{line,49}]},{rabbit_boot_steps,run_step,2,[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}}}type: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: ranchexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: mnesiaexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: amqp_clientexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: rabbitmq_web_dispatchexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: webmachineexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: mochiwebexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: sockjsexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: xmerlexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: rabbitmq_awsexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: sslexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: os_monexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: cowlibexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: rabbit_commonexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: public_keyexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: asn1exited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: cryptoexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: syntax_toolsexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: compilerexited: stoppedtype: temporaryBOOT FAILED===========Error description:{could_not_start,rabbit,{{case_clause,{error,{{shutdown,{failed_to_start_child,{ranch_listener_sup,{acceptor,{0,0,0,0},5671}},{shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0},5671},{options,{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{dhe_dss,aes_128_cbc,sha256},{rsa,aes_128_gcm,null,sha256},{rsa,aes_128_cbc,sha256},{ecdhe_ecdsa,aes_256_cbc,sha},{ecdhe_rsa,aes_256_cbc,sha},{dhe_rsa,aes_256_cbc,sha},{dhe_dss,aes_256_cbc,sha},{ecdh_ecdsa,aes_256_cbc,sha},{ecdh_rsa,aes_256_cbc,sha},{rsa,aes_256_cbc,sha},{ecdhe_ecdsa,'3des_ede_cbc',sha},{ecdhe_rsa,'3des_ede_cbc',sha},{dhe_rsa,'3des_ede_cbc',sha},{dhe_dss,'3des_ede_cbc',sha},{ecdh_ecdsa,'3des_ede_cbc',sha},{ecdh_rsa,'3des_ede_cbc',sha},{rsa,'3des_ede_cbc',sha},{ecdhe_ecdsa,aes_128_cbc,sha},{ecdhe_rsa,aes_128_cbc,sha},{dhe_rsa,aes_128_cbc,sha},{dhe_dss,aes_128_cbc,sha},{ecdh_ecdsa,aes_128_cbc,sha},{ecdh_rsa,aes_128_cbc,sha},{rsa,aes_128_cbc,sha},{dhe_rsa,des_cbc,sha},{rsa,des_cbc,sha}]}}}}}}},{child,undefined,'rabbit_tcp_listener_sup_0.0.0.0:5671',{tcp_listener_sup,start_link,[{0,0,0,0},5671,ranch_ssl,[inet,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2','tlsv1.1',tlsv1]},{cacertfile,"/usr/lib/rabbitmq/etc/rabbitmq/MyCA.pem"},{certfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem"},{keyfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_key.pem"},{verify,verify_none},{fail_if_no_peer_cert,false}],rabbit_connection_sup,[],{rabbit_networking,tcp_listener_started,['amqp/ssl']},{rabbit_networking,tcp_listener_stopped,['amqp/ssl']},1,"SSL Listener"]},transient,infinity,supervisor,[tcp_listener_sup]}}}},[{rabbit_networking,start_listener0,5,[{file,"src/rabbit_networking.erl"},{line,300}]},{rabbit_networking,'-start_listener/5-lc$^0/1-0-',5,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,start_listener,5,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot_ssl,1,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot,0,[{file,"src/rabbit_networking.erl"},{line,134}]},{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,[{file,"src/rabbit_boot_steps.erl"},{line,49}]},{rabbit_boot_steps,run_step,2,[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}Log files (may contain more information):ttytty=INFO REPORT==== 8-Nov-2017::15:58:41 ===application: inetsexited: stoppedtype: temporary=INFO REPORT==== 8-Nov-2017::15:58:41 ===Error description:{could_not_start,rabbit,{{case_clause,{error,{{shutdown,{failed_to_start_child,{ranch_listener_sup,{acceptor,{0,0,0,0},5671}},{shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0},5671},{options,{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{dhe_dss,aes_128_cbc,sha256},{rsa,aes_128_gcm,null,sha256},{rsa,aes_128_cbc,sha256},{ecdhe_ecdsa,aes_256_cbc,sha},{ecdhe_rsa,aes_256_cbc,sha},{dhe_rsa,aes_256_cbc,sha},{dhe_dss,aes_256_cbc,sha},{ecdh_ecdsa,aes_256_cbc,sha},{ecdh_rsa,aes_256_cbc,sha},{rsa,aes_256_cbc,sha},{ecdhe_ecdsa,'3des_ede_cbc',sha},{ecdhe_rsa,'3des_ede_cbc',sha},{dhe_rsa,'3des_ede_cbc',sha},{dhe_dss,'3des_ede_cbc',sha},{ecdh_ecdsa,'3des_ede_cbc',sha},{ecdh_rsa,'3des_ede_cbc',sha},{rsa,'3des_ede_cbc',sha},{ecdhe_ecdsa,aes_128_cbc,sha},{ecdhe_rsa,aes_128_cbc,sha},{dhe_rsa,aes_128_cbc,sha},{dhe_dss,aes_128_cbc,sha},{ecdh_ecdsa,aes_128_cbc,sha},{ecdh_rsa,aes_128_cbc,sha},{rsa,aes_128_cbc,sha},{dhe_rsa,des_cbc,sha},{rsa,des_cbc,sha}]}}}}}}},{child,undefined,'rabbit_tcp_listener_sup_0.0.0.0:5671',{tcp_listener_sup,start_link,[{0,0,0,0},5671,ranch_ssl,[inet,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2','tlsv1.1',tlsv1]},{cacertfile,"/usr/lib/rabbitmq/etc/rabbitmq/MyCA.pem"},{certfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem"},{keyfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_key.pem"},{verify,verify_none},{fail_if_no_peer_cert,false}],rabbit_connection_sup,[],{rabbit_networking,tcp_listener_started,['amqp/ssl']},{rabbit_networking,tcp_listener_stopped,['amqp/ssl']},1,"SSL Listener"]},transient,infinity,supervisor,[tcp_listener_sup]}}}},[{rabbit_networking,start_listener0,5,[{file,"src/rabbit_networking.erl"},{line,300}]},{rabbit_networking,'-start_listener/5-lc$^0/1-0-',5,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,start_listener,5,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot_ssl,1,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot,0,[{file,"src/rabbit_networking.erl"},{line,134}]},{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,[{file,"src/rabbit_boot_steps.erl"},{line,49}]},{rabbit_boot_steps,run_step,2,[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}Log files (may contain more information):ttytty{"init terminating in do_boot",{could_not_start,rabbit,{{case_clause,{error,{{shutdown,{failed_to_start_child,{ranch_listener_sup,{acceptor,{0,0,0,0},5671}},{shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0},5671},{options,{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{dhe_dss,aes_128_cbc,sha256},{rsa,aes_128_gcm,null,sha256},{rsa,aes_128_cbc,sha256},{ecdhe_ecdsa,aes_256_cbc,sha},{ecdhe_rsa,aes_256_cbc,sha},{dhe_rsa,aes_256_cbc,sha},{dhe_dss,aes_256_cbc,sha},{ecdh_ecdsa,aes_256_cbc,sha},{ecdh_rsa,aes_256_cbc,sha},{rsa,aes_256_cbc,sha},{ecdhe_ecdsa,'3des_ede_cbc',sha},{ecdhe_rsa,'3des_ede_cbc',sha},{dhe_rsa,'3des_ede_cbc',sha},{dhe_dss,'3des_ede_cbc',sha},{ecdh_ecdsa,'3des_ede_cbc',sha},{ecdh_rsa,'3des_ede_cbc',sha},{rsa,'3des_ede_cbc',sha},{ecdhe_ecdsa,aes_128_cbc,sha},{ecdhe_rsa,aes_128_cbc,sha},{dhe_rsa,aes_128_cbc,sha},{dhe_dss,aes_128_cbc,sha},{ecdh_ecdsa,aes_128_cbc,sha},{ecdh_rsa,aes_128_cbc,sha},{rsa,aes_128_cbc,sha},{dhe_rsa,des_cbc,sha},{rsa,des_cbc,sha}]}}}}}}},{child,undefined,'rabbit_tcp_listener_sup_0.0.0.0:5671',{tcp_listener_sup,start_link,[{0,0,0,0},5671,ranch_ssl,[inet,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2','tlsv1.1',tlsv1]},{cacertfile,"/usr/lib/rabbitmq/etc/rabbitmq/MyCA.pem"},{certfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem"},{keyfile,"/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_key.pem"},{verify,verify_none},{fail_if_no_peer_cert,false}],rabbit_connection_sup,[],{rabbit_networking,tcp_listener_started,['amqp/ssl']},{rabbit_networking,tcp_listener_stopped,['amqp/ssl']},1,"SSL Listener"]},transient,infinity,supervisor,[tcp_listener_sup]}}}},[{rabbit_networking,start_listener0,5,[{file,"src/rabbit_networking.erl"},{line,300}]},{rabbit_networking,'-start_listener/5-lc$^0/1-0-',5,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,start_listener,5,[{file,"src/rabbit_networking.erl"},{line,288}]},{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot_ssl,1,[{file,"src/rabbit_networking.erl"},{line,148}]},{rabbit_networking,boot,0,[{file,"src/rabbit_networking.erl"},{line,134}]},{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,[{file,"src/rabbit_boot_steps.erl"},{line,49}]},{rabbit_boot_steps,run_step,2,[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}}I am running this in AWS in an ECS cluster. Any help would be appreciated.
Luke Bakken
Nov 8, 2017, 11:47:57 AM11/8/17
to rabbitmq-users
Hello,
Unfortunately, the error message you should be interested in is buried in the output. This is the important text:
Failed to start Ranch listener {acceptor,{0,0,0,0},5671} in ranch_ssl:listen([{port,
5671},
5671},
...
...
{fail_if_no_peer_cert,false}]) for reason {options, {ciphers,
I have not experienced this error myself, so I searched Google using the following query string:
{fail_if_no_peer_cert,false}]) for reason {options, {ciphers,
I have not experienced this error myself, so I searched Google using the following query string:
"ranch_ssl" "for reason" "failed to start"
The top hit leads to this issue:
Reading through that issue, I suspect that you have a problem with your SSL configuration. My first guess is that the user account under which RabbitMQ is running (probably the rabbitmq user, but it may be different in your docker env) does not have read permissions to your certificate files located in
/usr/lib/rabbitmq. That is an unusual place to store certificates anyway.
One way to verify this would be to start RabbitMQ without SSL settings, and run this command:
rabbitmqctl eval '{ok, _} = file:read_file("/usr/lib/rabbitmq/etc/rabbitmq/rabbitmq_cer.pem").'
If that command succeeds, then there is some other issue in your SSL configuration. Please run the above command and respond with what you found.
Thanks!
If that command succeeds, then there is some other issue in your SSL configuration. Please run the above command and respond with what you found.
Thanks!
Luke
Staff Software Engineer
Pivotal / RabbitMQ
Jaime R. Maldonado-Miranda
Nov 8, 2017, 11:55:39 AM11/8/17
to rabbitm...@googlegroups.com
Thank you for the prompt response! I am fairly new to all of this,
which you probably could tell due to where I placed the certs. I will
try out what you said and post back here with an update!
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "rabbitmq-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/rabbitmq-users/9alAii28SKo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> rabbitmq-user...@googlegroups.com.
> To post to this group, send email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
which you probably could tell due to where I placed the certs. I will
try out what you said and post back here with an update!
> You received this message because you are subscribed to a topic in the
> Google Groups "rabbitmq-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/rabbitmq-users/9alAii28SKo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> rabbitmq-user...@googlegroups.com.
> To post to this group, send email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Bj Maldonado
Nov 8, 2017, 1:32:21 PM11/8/17
to rabbitmq-users
Ok so I tried what you mentioned.
So I can start the container without SSL configuration and the files do exist and are readable. I am using the rabbitmq user to read it as well I added a chmod 777 to the whole dir in the Dockerfile just to eliminate any permissions issues.
I get this back:
bash-4.3$ rabbitmqctl eval '{ok, _} = file:read_file("/usr/lib/rabbitmq/etc/rabbitmq/cacert.pem").'{ok,<<"-----BEGIN CERTIFICATE-----\nMIICxjCCAa6gAwIBAgIJAL1LiAbTphKdMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV\nBAMMCE15VGVzdENBMB4XDTE3MTEwNzIxMTMyN1oXDTE4MTEwNzIxMTMyN1owEzER\nMA8GA1UEAwwITXlUZXN0Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDtJVVZ10i5L7bicNbUYXrBleUJ+y24omVTA0z/hwERLHxOETuTiXDCLLvrRLLy\nPhIusYkbHOzB+BGf0V6Dst/hqeBovLyFq+ZDmoYqTNY/TH83KZYQj5crJm0At0XZ\nwTVGrUdCP/BH1LKiF66Kay7Wel1p4PIEdD+3FhqIvgU7yWpctxfUo99iojMYaMH4\n1X40zPFQ/ekL7Kiqmz5YOoyTEcYcF+cVl+EmZom0Z8VK0ROq769jRjy+NPdEEs9X\n07if8dL1TG5xpjwJLlA5YfpXKToJg23Umnf5SEiMeSQWlWcOXNrhHmXMti5hZC4Y\nb7jAkcTxrzB46KkbiVnKC3mrAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P\nBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA6ehXBCmT/cbZHdrCOEF7zYOAy7n2V\nc0FU+4dO+dPwg0WHp9Irlh6P1sNU6xO6nIGPpvwPvq/BcU4ZFJ+UhHNsK8sOKVBa\nFYMqqKhQTsRONUaNfNoDpZK9pNlYNuKxDKFx2+wD74C4XufzkPo3ZdzYG1NCOKUF\n6kAvXfF4Zdy3CEaifVd5eehXNmZnM88NSaCWFDb2GT27Gtu0v1FT2jj88stNfT62\nZndvInXPCz91nYI577iLfk+ro52cJrwvwKKcl/r6e8Ceq/M6P6pf7gj0lZwQs5Ff\ngR2FHdnQmSfb2IWkgV6Nj5ufp0xCxEAjWkHxYufttDRS61jcgYdqFuhi\n-----END CERTIFICATE-----\n">>}So I can start the container without SSL configuration and the files do exist and are readable. I am using the rabbitmq user to read it as well I added a chmod 777 to the whole dir in the Dockerfile just to eliminate any permissions issues.
I am still at a loss as to what about the SSL configuration is breaking this 🤔
Luke Bakken
Nov 8, 2017, 1:47:10 PM11/8/17
to rabbitmq-users
Hello Bj,
Thanks for verifying that. I did a different search which turned up this issue:
You wouldn't happen to be using Erlang 18, would you? If that's the case, I suggest using version 20 instead.
Thanks,
Luke
PS I used these search terms:
ranch_ssl "for reason" options ciphers
Luke Bakken
Nov 8, 2017, 1:49:21 PM11/8/17
to rabbitmq-users
Here it is in the output:
Starting RabbitMQ 3.6.2 on Erlang 18.3.2
You should upgrade your Erlang version to 20.1 - https://github.com/erlang/otp/releases/tag/OTP-20.1
Apologies that I didn't find the issue a bit faster!
Apologies that I didn't find the issue a bit faster!
Thanks,
Luke
Bj Maldonado
Nov 8, 2017, 2:05:05 PM11/8/17
to rabbitmq-users
No no! No need to apologize at all! Thank you for helping a lost soul find its way through the rabbit hole! haha I will upgrade and post my findings here.
Reply all
Reply to author
Forward
0 new messages