I’ve been only partially successfully securing an OpenStack environment with SSL certs provided by a CA.
I’ve enabled DNS HA with maas for proper hostname resolution and have a CA wild card for the domain. I set FQDN for each host post-deployment(I have questions about this later) on maas. From what I can tell the configurations are not being set on the deployed applications(charms?) I’ve attempted several different SSL “strings”, a bundle base 64 encoded(issued cert, intermediate cert, root) as well as a straight string of the cert. I’ve noticed that some applications want pem, some want base64 encoded and it looks like others want raw text copy of the cert. I’m looking for some assistance determining the correct way of implementing ssl for OpenStack(Placement, cinder, glance, keystone, neutron-api, rabbitmq-server, ceph-radosgw, nova-cloud-controller, OpenStack-dashboard), I’m having the most difficulty with rabbitmq, every time I attempt SSL configuration the charm fails with errors.
=SUPERVISOR REPORT==== 23-Dec-2019::02:53:37 ===
Supervisor: {<0.315.0>,tcp_listener_sup}
Context: start_error
Reason: {shutdown,
{failed_to_start_child,ranch_acceptors_sup,
{listen_error,
{acceptor,{0,0,0,0,0,0,0,0},5671},
{options,{cacertfile,[]}}}}}
Offender: [{pid,undefined},
{id,{ranch_listener_sup,{acceptor,{0,0,0,0,0,0,0,0},5671}}},
{mfargs,
{ranch_listener_sup,start_link,
[{acceptor,{0,0,0,0,0,0,0,0},5671},
1,ranch_ssl,
[{port,5671},
{ip,{0,0,0,0,0,0,0,0}},
{max_connections,infinity},
{ack_timeout,5000},
{connection_type,supervisor},
inet6,
{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false},
{versions,['tlsv1.2','tlsv1.1',tlsv1]},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{certfile,"/etc/rabbitmq/rabbit-server-cert.pem"},
{keyfile,
"/etc/rabbitmq/rabbit-server-privkey.pem"}],
rabbit_connection_sup,[]]}},
{restart_type,permanent},
{shutdown,infinity},
{child_type,supervisor}]
=CRASH REPORT==== 23-Dec-2019::02:53:37 ===
crasher:
initial call: application_master:init/4
pid: <0.196.0>
registered_name: []
exception exit: {bad_return,
{{rabbit,start,[normal,[]]},
{'EXIT',
{{case_clause,
{error,
{{shutdown,
{failed_to_start_child,
{ranch_listener_sup,
{acceptor,{0,0,0,0,0,0,0,0},5671}},
{shutdown,
{failed_to_start_child,ranch_acceptors_sup,
{listen_error,
{acceptor,{0,0,0,0,0,0,0,0},5671},
{options,{cacertfile,[]}}}}}}},
{child,undefined,
'rabbit_tcp_listener_sup_:::5671',
{tcp_listener_sup,start_link,
[{0,0,0,0,0,0,0,0},
5671,ranch_ssl,
[inet6,
{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false},
{versions,['tlsv1.2','tlsv1.1',tlsv1]},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{certfile,
"/etc/rabbitmq/rabbit-server-cert.pem"},
{keyfile,
"/etc/rabbitmq/rabbit-server-privkey.pem"}],
rabbit_connection_sup,[],
{rabbit_networking,tcp_listener_started,
['amqp/ssl',
[{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false},
{versions,['tlsv1.2','tlsv1.1',tlsv1]},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{certfile,
"/etc/rabbitmq/rabbit-server-cert.pem"},
{keyfile,
"/etc/rabbitmq/rabbit-server-privkey.pem"}]]},
{rabbit_networking,tcp_listener_stopped,
['amqp/ssl',
[{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false},
{versions,['tlsv1.2','tlsv1.1',tlsv1]},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{certfile,
"/etc/rabbitmq/rabbit-server-cert.pem"},
{keyfile,
"/etc/rabbitmq/rabbit-server-privkey.pem"}]]},
1,"SSL Listener"]},
transient,infinity,supervisor,
[tcp_listener_sup]}}}},
[{rabbit_networking,start_listener0,5,
[{file,"src/rabbit_networking.erl"},{line,225}]},
{rabbit_networking,'-start_listener/5-lc$^0/1-0-',5,
[{file,"src/rabbit_networking.erl"},{line,213}]},
{rabbit_networking,start_listener,5,
[{file,"src/rabbit_networking.erl"},{line,213}]},
{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,
[{file,"src/rabbit_networking.erl"},{line,136}]},
{rabbit_networking,boot_ssl,1,
[{file,"src/rabbit_networking.erl"},{line,136}]},
{rabbit_networking,boot,0,
[{file,"src/rabbit_networking.erl"},{line,122}]},
{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,
[{file,"src/rabbit_boot_steps.erl"},{line,49}]},
{rabbit_boot_steps,run_step,2,
[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}}}
in function application_master:init/4 (application_master.erl, line 134)
ancestors: [<0.195.0>]
message_queue_len: 1
messages: [{'EXIT',<0.197.0>,normal}]
links: [<0.195.0>,<0.33.0>]
dictionary: []
trap_exit: true
status: running
heap_size: 2586
stack_size: 27
reductions: 157
neighbours:
As far as I can tell the error is with the SSL certs I’m trying to use. I have tried: raw txt from the cert, base64 encoded version of the same, configuring a bundle(need details as some apps want the bundle setup one way verses another, ie no ca just intermediate and client vs client and intermediate “order matters”)
Can I get some guidance on SSL configurations supplied via JUJU for OpenStack deployments?