failing to start with ssl enabled

Bill Schwanitz

unread,

Apr 6, 2016, 3:55:41 PM4/6/16

to rabbitmq-users

I'm working on a rabbitmq server install in a vagrant environment. When I enable ssl the broker boot fails. I have read / done tests as described in https://www.rabbitmq.com/troubleshooting-ssl.html and can confirm the ssl cert/key and cacert are correct and readable as the rabbitmq user.

Anyone have an idea of whats wrong with the config? I checked permissions in /var/log/rabbitmq, /var/lib/rabbitmq and the config files in /etc/rabbitmq - all are correct to my knowledge

logs

Failed to start Ranch listener {acceptor,{0,0,0,0,0,0,0,0},5671} in ranch_ssl:listen([{port,

5671},

{ip,

{0,

0,

0}},

inet6,

binary,

{packet,

raw},

{reuseaddr,

true},

{backlog,

128},

{nodelay,

true},

{exit_on_close,

false},

{versions,

['tlsv1.2',

'tlsv1.1',

tlsv1]},

{cacertfile,

"/etc/pki/tls/certs/organizationvalidation-sha-2-w-root.ca-bundle"},

{certfile,

"/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile,

"/etc/pki/tls/private/rabbitmq.key"},

{verify,

true},

{fail_if_no_peer_cert,

false}]) for reason {options,

{verify,

true}} (unknown POSIX error)

=INFO REPORT==== 6-Apr-2016::15:47:33 ===

Error description:

{could_not_start,rabbit,

{{case_clause,

{error,

{{shutdown,

{failed_to_start_child,

{ranch_listener_sup,

{acceptor,{0,0,0,0,0,0,0,0},5671}},

{shutdown,

{failed_to_start_child,ranch_acceptors_sup,

{listen_error,

{acceptor,{0,0,0,0,0,0,0,0},5671},

{options,{verify,true}}}}}}},

{child,undefined,'rabbit_tcp_listener_sup_:::5671',

{tcp_listener_sup,start_link,

[{0,0,0,0,0,0,0,0},

5671,ranch_ssl,

[inet6,binary,

{packet,raw},

{reuseaddr,true},

{backlog,128},

{nodelay,true},

{exit_on_close,false},

{versions,['tlsv1.2','tlsv1.1',tlsv1]},

{cacertfile,

"/etc/pki/tls/certs/organizationvalidation-sha-2-w-root.ca-bundle"},

{certfile,"/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile,"/etc/pki/tls/private/rabbitmq.key"},

{verify,true},

{fail_if_no_peer_cert,false}],

rabbit_connection_sup,[],

{rabbit_networking,tcp_listener_started,

['amqp/ssl']},

{rabbit_networking,tcp_listener_stopped,

['amqp/ssl']},

1,"SSL Listener"]},

transient,infinity,supervisor,

[tcp_listener_sup]}}}},

[{rabbit_networking,start_listener0,5,

[{file,"src/rabbit_networking.erl"},{line,318}]},

{rabbit_networking,'-start_listener/5-lc$^0/1-0-',5,

[{file,"src/rabbit_networking.erl"},{line,306}]},

{rabbit_networking,start_listener,5,

[{file,"src/rabbit_networking.erl"},{line,306}]},

{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,

[{file,"src/rabbit_networking.erl"},{line,147}]},

{rabbit_networking,boot_ssl,1,

[{file,"src/rabbit_networking.erl"},{line,147}]},

{rabbit_networking,boot,0,

[{file,"src/rabbit_networking.erl"},{line,133}]},

{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,

[{file,"src/rabbit_boot_steps.erl"},{line,49}]},

{rabbit_boot_steps,run_step,2,

[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}

rabbitmq.config ( changed the hostnames )

% This file managed by Puppet

% Template Path: rabbitmq/templates/rabbitmq.config

[

{rabbit, [

{cluster_nodes, {['rab...@foo1.foo.net', 'rab...@foo2.foo.net'], disc}},

{cluster_partition_handling, ignore},

{tcp_listen_options,

[binary,

{packet, raw},

{reuseaddr, true},

{backlog, 128},

{nodelay, true},

{exit_on_close, false}]

},

{ssl_listeners, [5671]},

{ssl_options, [

{cacertfile,"/etc/pki/tls/certs/organizationvalidation-sha-2-w-root.ca-bundle"},

{certfile,"/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile,"/etc/pki/tls/private/rabbitmq.key"},

{verify,true},

{fail_if_no_peer_cert,false}

]},

{default_user, <<"guest">>},

{default_pass, <<"guest">>}

]},

{kernel, [

]}

,

{rabbitmq_management, [

{listener, [

{port, 15671},

{ssl, true},

{ssl_opts, [

{cacertfile, "/etc/pki/tls/certs/organizationvalidation-sha-2-w-root.ca-bundle"},

{certfile, "/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile, "/etc/pki/tls/private/rabbitmq.key"}

]}

].

% EOF

Michael Klishin

unread,

Apr 6, 2016, 4:05:08 PM4/6/16

to rabbitm...@googlegroups.com

RabbitMQ fails to bind to port 5671 on an IPv6 interface. Try setting node IP address e.g. to an IPv4 one (0.0.0.0) and see if it makes any difference.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

Bill Schwanitz

unread,

Apr 6, 2016, 4:23:18 PM4/6/16

to rabbitm...@googlegroups.com

So, I may have figured out what was going on. I had a bad value for the verification:

{ssl_options, [

{cacertfile,"/etc/pki/tls/certs/organizationvalidation-sha-2-w-root.ca-bundle"},

{certfile,"/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile,"/etc/pki/tls/private/rabbitmq.key"},

{verify,verify_peer},

{fail_if_no_peer_cert,false}

]},

I had verify,true

I've destroyed / rebuilt the node a few times with this change and so far all is well. So, oops!

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/IS6AGM0G_pg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

Michael Klishin

unread,

Apr 6, 2016, 4:32:53 PM4/6/16

to rabbitm...@googlegroups.com

Yeah, please file an issue for rabbitmq-server about improving the error message (and options validation).

Bill Schwanitz

unread,

Apr 7, 2016, 8:18:18 AM4/7/16

to rabbitmq-users

Michael,

Done thanks again for your help!

https://github.com/rabbitmq/rabbitmq-server/issues/732

https://github.com/rabbitmq/rabbitmq-server/issues/733

I filed the issues as separate issues - hope that is ok. ( they feel like separate concerns to me so... )

Reply all

Reply to author

Forward