Поддержка RabbitMQ SSL в Windows - PullRequest
       133

Поддержка RabbitMQ SSL в Windows

0 голосов
/ 11 декабря 2018

У меня установлен RabbitMQ на сервере Windows 2012.
Мне нужна поддержка SSL \ TLS - прочитал следующее руководство .
К сожалению, прослушиватель SSL не может запуститься без ошибокв файле журнала (после перезапуска брокера):

Starting RabbitMQ 3.7.7 on Erlang 21.0
 Copyright (C) 2007-2018 Pivotal Software, Inc.
 Licensed under the MPL.  See http://www.rabbitmq.com/
2018-12-11 09:47:15.205 [info] <0.269.0> 
 node           : rabbit@WIN-055QHB70C6Q
 home dir       : C:\Windows\system32\config\systemprofile
 config file(s) : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/advanced.config
                : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
 cookie hash    : r+sVz1OsZ1pBik8phgF0Ag==
 log(s)         : C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG
                : C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/rabbit@WIN-055QHB70C6Q_upgrade.log
 database dir   : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1
2018-12-11 09:47:16.363 [info] <0.277.0> Memory high watermark set to 1638 MiB (1717772288 bytes) of 4095 MiB (4294430720 bytes) total
2018-12-11 09:47:16.367 [info] <0.279.0> Enabling free disk space monitoring
2018-12-11 09:47:16.367 [info] <0.279.0> Disk free limit set to 50MB
2018-12-11 09:47:16.371 [info] <0.281.0> Limiting to approx 8092 file handles (7280 sockets)
2018-12-11 09:47:16.371 [info] <0.282.0> FHC read buffering:  OFF
2018-12-11 09:47:16.371 [info] <0.282.0> FHC write buffering: ON
2018-12-11 09:47:16.372 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping registration.
2018-12-11 09:47:16.399 [info] <0.269.0> Priority queues enabled, real BQ is rabbit_variable_queue
2018-12-11 09:47:16.411 [info] <0.302.0> Starting rabbit_node_monitor
2018-12-11 09:47:16.435 [info] <0.269.0> Management plugin: using rates mode 'basic'
2018-12-11 09:47:16.435 [info] <0.334.0> Making sure data directory 'c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2018-12-11 09:47:16.438 [info] <0.334.0> Starting message stores for vhost '/'
2018-12-11 09:47:16.438 [info] <0.338.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.440 [info] <0.334.0> Started message store of type transient for vhost '/'
2018-12-11 09:47:16.440 [info] <0.341.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.441 [info] <0.334.0> Started message store of type persistent for vhost '/'
2018-12-11 09:47:16.446 [info] <0.376.0> started TCP Listener on [::]:5672
2018-12-11 09:47:16.447 [info] <0.391.0> started TCP Listener on 0.0.0.0:5672
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for connection tracking on this node: 'tracked_connection_on_node_rabbit@WIN-055QHB70C6Q'
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for per-vhost connection counting on this node: 'tracked_connection_per_vhost_on_node_rabbit@WIN-055QHB70C6Q'
2018-12-11 09:47:16.452 [warning] <0.408.0> Could not find handle.exe, please install from sysinternals
2018-12-11 09:47:16.480 [info] <0.451.0> Management plugin started. Port: 15672
2018-12-11 09:47:16.480 [info] <0.557.0> Statistics database started.
2018-12-11 09:47:16.481 [notice] <0.111.0> Changed loghwm of C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG to 50
2018-12-11 09:47:16.566 [info] <0.7.0> Server startup complete; 3 plugins started.
 * rabbitmq_management
 * rabbitmq_web_dispatch
 * rabbitmq_management_agent

Среда:

Win Server 2012R2, Erlang, RabbitMQ

Erlang: esl-erlang_21.0_windows_amd64.exe

1> erlang:system_info(otp_release).
"21"

Rabbit MQ: rabbitmq-server-3.7.7.exe

rabbitmqctl status
{rabbit,"RabbitMQ","3.7.7"},

Изменен файл конфигурации в соответствии с этим руководством :

c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf  


[
{rabbit, [
         {ssl_listeners, [5671]},
         {tcp_listeners, [{"localhost",5672}]},
         {tcp_listen_options, [binary,
                     {packet, raw},
                     {reuseaddr, true},
                     {backlog, 128},
                     {nodelay, true},
                     {exit_on_close, false},
                     {keepalive, true}]},
         {ssl_options, [{cacertfile,"C:\\temp\\cacert1.pem"},
                        {certfile,"C:\\temp\\cert.pem"},
                        {keyfile,"C:\\temp\\key.pem"},
                        {verify,verify_none},
                        {fail_if_no_peer_cert,false}]}
       ]}
    ].

Сертификаты были ранее созданы с использованием openssl и проверены в Ubuntu - эта же служба работает без ошибок (с включенным SSL).

Я проверил конфигурацию SSL в соответствии с этим руководством :

werl.exe
ssl:versions().

Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]

Eshell V10.0  (abort with ^G)
1> ssl:versions().
[{ssl_app,"9.0"},
 {supported,['tlsv1.2','tlsv1.1',tlsv1]},
 {supported_dtls,['dtlsv1.2',dtlsv1]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
 {available_dtls,['dtlsv1.2',dtlsv1]}]
2> 

и этим руководством :

PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_server -accept 8443 -cert "C:\temp\cert.pem" -key "C:\t
emp\key.pem" -CAfile "C:\temp\cacert1.pem"


Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH0CAQECAgMEBAITAgQgvBHCGaTQPFgF9V3OLCgGudWcTNUPj+VUaYVjoeX32ZYE
MHsxeVDcMSw4Fl5y12GDWlDqdhmomdlS2hOgeXDr21jRcP7kabTg92GvP08hnIIz
1aEGAgRcD80YogQCAhwgpAYEBAEAAACuBgIEeKP8gQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-
CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256
-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-S
HA256:ECDHE-ECDSA-AES256-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:
RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA
1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+
SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:
RSA+SHA1
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
---
No server certificate CA names sent
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported




PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_client -connect localhost:8443 -cert "C:\temp\cert.pem"
 -key "C:\temp\key.pem" -CAfile "C:\temp\cacert1.pem"




CONNECTED(00000108)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
verify return:1
---
Certificate chain
 0 s:CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
   i:CN = MyTestCA
 1 s:CN = MyTestCA
   i:CN = MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xODEyMTAxNTI2MjRaFw0xOTEyMTAxNTI2MjRaMFAxFjAUBgNVBAMM
DTE5Mi4xNjguMS4xMTIxCzAJBgNVBAgMAlJVMQswCQYDVQQGEwJSVTENMAsGA1UE
CgwERVBBTTENMAsGA1UECwwERVBBTTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALwy/2dxLMj4JjK8ggj/a9VG8beD5aBwjGu4+uXnQ5Liesfx1HE4seG2
Fr5j0aBz+vf0Km1Vf6S6yln/Z3BhI0nPKlGJvHjtwzof15pNH6Qh1WDlXRqOhoLR
GWtAb/U56ZC3PAG78nmdkS2DUCEFnERwcTWqW/XxpgYnGX0rPBtUGdKQB5rVaSCk
wM4UwEr9hq90BfeUuUZREzrZT7l+zxvgBPOR3H+Z2bS1TIqHjiH6jnC41M/S9KEb
8jn+2JjeR1NrIPdSy++hXc5UoWJMqCWu5PLOhheHHqDTS2MU8nHXL3KctH8qTzaz
+FQwbPNZgQKRTIdaRpxB1y3EUFC2B1cCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEB
ABVn9/RUDWW+QaD97uFiMrdWXlaSSbg/YJuKYg+HXX2SO4ZsLRgU+ycyiTrq1E8W
vqP3BSyQ+Ao7tMzmAUWltcmKtETnO9jX6XN6pktCDfV2NPfq6zc/txH+6QDgrP/I
qwF6Csqch7TcVBzLJ2nI4k/6bNVttzgDNK0B7KTvtQIOBu53WQlPHQSyELwBocAS
NZrdy4FrJ0lMtno3WIcQEmy6XcRDULBWuWVjr0THQ+DstIXkX/qvkI08eRaIjaur
hc2enws5KjuXYX6ernqsOMWwOspUwETiGtKEl4sRApnwQz7vlOpU5W7bF7lpRycL
mDbOMf+6KxHOktQF4LJRyYE=
-----END CERTIFICATE-----
subject=CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM

issuer=CN = MyTestCA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2060 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 1FB4C4A756AF733EA4819D8350B4B66E5568DCB1C598D08D4B7C657C13F4EC78
    Session-ID-ctx:
    Resumption PSK: 55578B334D92C9CDBE66FA20C7D0A9BF55F0E50F37F026BD08BC69908EA1826DE75ACD1E6F3C365777DB890967420469
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e   a.K....t........
    0010 - d7 13 91 f5 d2 9e 30 e7-57 61 a3 4a 50 8f ac fc   ......0.Wa.JP...
    0020 - 9b b1 17 5f 45 4b 79 fa-57 62 5c 41 eb 17 26 a1   ..._EKy.Wb\A..&.
    0030 - 90 3f 3e b0 65 fa a3 ff-3b d2 da 3c 4b 38 d4 ef   .?>.e...;..<K8..
    0040 - 11 d5 a9 59 69 37 97 f4-2e 84 2c ec 28 aa 7b 92   ...Yi7....,.(.{.
    0050 - a5 50 91 40 8d 9e 83 90-a0 5d f7 41 5c d6 ba 8b   .P.@.....].A\...
    0060 - 32 b9 47 cf 58 dc 72 26-6a ca ea 71 2f ee c6 5b   2.G.X.r&j..q/..[
    0070 - e7 ee bf 0d 68 0e 0c 32-4d 24 8e 91 73 5e 1d 9f   ....h..2M$..s^..
    0080 - ed 5a 6f 51 6e bc 7f ba-5e e7 25 3f a9 ad 91 0b   .ZoQn...^.%?....
    0090 - b7 26 17 1c 6b 89 11 e3-40 77 5f 38 59 98 64 dc   .&..k...@w_8Y.d.
    00a0 - d9 3b d3 ff 1d ca 6f c6-df e5 e6 8c db 1e 25 4c   .;....o.......%L
    00b0 - 50 b6 d5 e5 82 26 04 6e-b3 ca 11 95 d0 92 05 8e   P....&.n........
    00c0 - 60 a6 a8 a7 fe 3a 18 93-0f 8d 17 4d 2e a2 ce 69   `....:.....M...i

    Start Time: 1544539416
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 658363DA6FF899DD69009F26444543E1E839BBF0ACAE5288FD0BA019084F141A
    Session-ID-ctx:
    Resumption PSK: 7B317950DC312C38165E72D761835A50EA7619A899D952DA13A07970EBDB58D170FEE469B4E0F761AF3F4F219C8233D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e   a.K....t........
    0010 - 20 3b a8 d4 62 e7 56 9a-42 36 02 81 2a 48 d2 94    ;..b.V.B6..*H..
    0020 - a8 0b 21 aa ca 0a b1 60-a5 17 c7 4f a5 44 0e b7   ..!....`...O.D..
    0030 - 42 bf 1d 7e b5 f2 a9 8e-f4 5d ff 5c 9b c8 b8 c0   B..~.....].\....
    0040 - 19 d2 4e 5a f8 df 1b 96-bb f6 52 a4 eb 35 d5 fa   ..NZ......R..5..
    0050 - a5 c6 16 f2 ae a7 49 9d-f5 fd da 52 8e 9e a4 b3   ......I....R....
    0060 - 14 93 cd 71 dc f6 66 ea-f6 69 d8 19 05 ce c0 61   ...q..f..i.....a
    0070 - 39 83 7f d1 5f d9 ed 1d-92 f7 92 2d 59 5d 8d 7e   9..._......-Y].~
    0080 - 77 43 30 67 aa f4 78 5e-02 20 a2 59 f4 b4 04 40   wC0g..x^. .Y...@
    0090 - a8 6b 11 40 0c 03 4d 36-26 36 d2 a7 13 20 f2 3b   .k.@..M6&6... .;
    00a0 - e8 43 00 ca 65 30 6b 6b-1c 58 b9 7d 0d 89 b3 dc   .C..e0kk.X.}....
    00b0 - 2a 07 77 3a 7e 99 a3 e1-7e 35 09 fd e3 7a 7a a7   *.w:~...~5...zz.

    Start Time: 1544539416
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Брокер перезапускается через * .bat файлы:
Служба RabbitMQ - запуск
Служба RabbitMQ - остановка

Статус службы:

C:\Program Files\RabbitMQ Server\rabbitmq_server-3.7.7\sbin>rabbitmqctl status

Status of node rabbit@WIN-055QHB70C6Q ...

[{pid,2192},
 {running_applications,
     [{rabbitmq_management,"RabbitMQ Management Console","3.7.7"},
      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.7.7"},
      {cowboy,"Small, fast, modern HTTP server.","2.2.2"},
      {amqp_client,"RabbitMQ AMQP Client","3.7.7"},
      {rabbitmq_management_agent,"RabbitMQ Management Agent","3.7.7"},
      {rabbit,"RabbitMQ","3.7.7"},
      {rabbit_common,
          "Modules shared by rabbitmq-server and rabbitmq-erlang-client",
          "3.7.7"},
      {recon,"Diagnostic tools for production use","2.3.2"},
      {ranch_proxy_protocol,"Ranch Proxy Protocol Transport","1.5.0"},
      {ranch,"Socket acceptor pool for TCP protocols.","1.5.0"},
      {ssl,"Erlang/OTP SSL application","9.0"},
      {public_key,"Public key infrastructure","1.6"},
      {mnesia,"MNESIA  CXC 138 12","4.15.4"},
      {asn1,"The Erlang ASN1 compiler version 5.0.6","5.0.6"},
      {os_mon,"CPO  CXC 138 46","2.4.5"},
      {cowlib,"Support library for manipulating Web protocols.","2.1.0"},
      {inets,"INETS  CXC 138 49","7.0"},
      {jsx,"a streaming, evented json parsing toolkit","2.8.2"},
      {xmerl,"XML parser","1.3.17"},
      {crypto,"CRYPTO","4.3"},
      {lager,"Erlang logging framework","3.6.3"},
      {goldrush,"Erlang event stream processor","0.1.9"},
      {compiler,"ERTS  CXC 138 10","7.2"},
      {syntax_tools,"Syntax tools","2.1.5"},
      {syslog,"An RFC 3164 and RFC 5424 compliant logging framework.","3.4.2"},
      {sasl,"SASL  CXC 138 11","3.2"},
      {stdlib,"ERTS  CXC 138 10","3.5"},
      {kernel,"ERTS  CXC 138 10","6.0"}]},
 {os,{win32,nt}},
 {erlang_version,
     "Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:64
]\n"},
 {memory,
     [{connection_readers,0},
      {connection_writers,0},
      {connection_channels,0},
      {connection_other,31988},
      {queue_procs,0},
      {queue_slave_procs,0},
      {plugins,465588},
      {other_proc,29769468},
      {metrics,195780},
      {mgmt_db,150248},
      {mnesia,74600},
      {other_ets,2872488},
      {binary,169712},
      {msg_index,30080},
      {code,27499185},
      {atom,1131721},
      {other_system,9895974},
      {allocated_unused,9764240},
      {reserved_unallocated,0},
      {strategy,rss},
      {total,[{erlang,72286832},{rss,82051072},{allocated,82051072}]}]},
 {alarms,[]},
 {listeners,
     [{clustering,25672,"::"},
      {amqp,5672,"::"},
      {amqp,5672,"0.0.0.0"},
      {http,15672,"::"},
      {http,15672,"0.0.0.0"}]},
 {vm_memory_calculation_strategy,rss},
 {vm_memory_high_watermark,0.4},
 {vm_memory_limit,1717772288},
 {disk_free_limit,50000000},
 {disk_free,74446868480},
 {file_descriptors,
     [{total_limit,8092},
      {total_used,2},
      {sockets_limit,7280},
      {sockets_used,0}]},
 {processes,[{limit,1048576},{used,398}]},
 {run_queue,1},
 {uptime,82},
 {kernel,{net_ticktime,60}}]

1 Ответ

0 голосов
/ 12 декабря 2018

Ваш файл конфигурации называется rabbitmq.conf, но имеет неправильный формат для этого расширения файла.Вам следует переименовать файл с расширением .config, а затем перезапустить службу RabbitMQ:

C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.config

Если вы хотите использовать файл rabbitmq.conf, вы должны использовать формат ini, которыйзадокументировано здесь: https://www.rabbitmq.com/configure.html#config-file-formats.


ПРИМЕЧАНИЕ: команда RabbitMQ контролирует список рассылки rabbitmq-users и только иногда отвечает на вопросы в StackOverflow.

...