У меня установлен RabbitMQ на сервере Windows 2012.
Мне нужна поддержка SSL \ TLS - прочитал следующее руководство .
К сожалению, прослушиватель SSL не может запуститься без ошибокв файле журнала (после перезапуска брокера):
Starting RabbitMQ 3.7.7 on Erlang 21.0
Copyright (C) 2007-2018 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/
2018-12-11 09:47:15.205 [info] <0.269.0>
node : rabbit@WIN-055QHB70C6Q
home dir : C:\Windows\system32\config\systemprofile
config file(s) : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/advanced.config
: c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
cookie hash : r+sVz1OsZ1pBik8phgF0Ag==
log(s) : C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG
: C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/rabbit@WIN-055QHB70C6Q_upgrade.log
database dir : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1
2018-12-11 09:47:16.363 [info] <0.277.0> Memory high watermark set to 1638 MiB (1717772288 bytes) of 4095 MiB (4294430720 bytes) total
2018-12-11 09:47:16.367 [info] <0.279.0> Enabling free disk space monitoring
2018-12-11 09:47:16.367 [info] <0.279.0> Disk free limit set to 50MB
2018-12-11 09:47:16.371 [info] <0.281.0> Limiting to approx 8092 file handles (7280 sockets)
2018-12-11 09:47:16.371 [info] <0.282.0> FHC read buffering: OFF
2018-12-11 09:47:16.371 [info] <0.282.0> FHC write buffering: ON
2018-12-11 09:47:16.372 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping registration.
2018-12-11 09:47:16.399 [info] <0.269.0> Priority queues enabled, real BQ is rabbit_variable_queue
2018-12-11 09:47:16.411 [info] <0.302.0> Starting rabbit_node_monitor
2018-12-11 09:47:16.435 [info] <0.269.0> Management plugin: using rates mode 'basic'
2018-12-11 09:47:16.435 [info] <0.334.0> Making sure data directory 'c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2018-12-11 09:47:16.438 [info] <0.334.0> Starting message stores for vhost '/'
2018-12-11 09:47:16.438 [info] <0.338.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.440 [info] <0.334.0> Started message store of type transient for vhost '/'
2018-12-11 09:47:16.440 [info] <0.341.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.441 [info] <0.334.0> Started message store of type persistent for vhost '/'
2018-12-11 09:47:16.446 [info] <0.376.0> started TCP Listener on [::]:5672
2018-12-11 09:47:16.447 [info] <0.391.0> started TCP Listener on 0.0.0.0:5672
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for connection tracking on this node: 'tracked_connection_on_node_rabbit@WIN-055QHB70C6Q'
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for per-vhost connection counting on this node: 'tracked_connection_per_vhost_on_node_rabbit@WIN-055QHB70C6Q'
2018-12-11 09:47:16.452 [warning] <0.408.0> Could not find handle.exe, please install from sysinternals
2018-12-11 09:47:16.480 [info] <0.451.0> Management plugin started. Port: 15672
2018-12-11 09:47:16.480 [info] <0.557.0> Statistics database started.
2018-12-11 09:47:16.481 [notice] <0.111.0> Changed loghwm of C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG to 50
2018-12-11 09:47:16.566 [info] <0.7.0> Server startup complete; 3 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* rabbitmq_management_agent
Среда:
Win Server 2012R2, Erlang, RabbitMQ
Erlang: esl-erlang_21.0_windows_amd64.exe
1> erlang:system_info(otp_release).
"21"
Rabbit MQ: rabbitmq-server-3.7.7.exe
rabbitmqctl status
{rabbit,"RabbitMQ","3.7.7"},
Изменен файл конфигурации в соответствии с этим руководством :
c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{tcp_listeners, [{"localhost",5672}]},
{tcp_listen_options, [binary,
{packet, raw},
{reuseaddr, true},
{backlog, 128},
{nodelay, true},
{exit_on_close, false},
{keepalive, true}]},
{ssl_options, [{cacertfile,"C:\\temp\\cacert1.pem"},
{certfile,"C:\\temp\\cert.pem"},
{keyfile,"C:\\temp\\key.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]}
]}
].
Сертификаты были ранее созданы с использованием openssl и проверены в Ubuntu - эта же служба работает без ошибок (с включенным SSL).
Я проверил конфигурацию SSL в соответствии с этим руководством :
werl.exe
ssl:versions().
Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]
Eshell V10.0 (abort with ^G)
1> ssl:versions().
[{ssl_app,"9.0"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{supported_dtls,['dtlsv1.2',dtlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
{available_dtls,['dtlsv1.2',dtlsv1]}]
2>
и этим руководством :
PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_server -accept 8443 -cert "C:\temp\cert.pem" -key "C:\t
emp\key.pem" -CAfile "C:\temp\cacert1.pem"
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH0CAQECAgMEBAITAgQgvBHCGaTQPFgF9V3OLCgGudWcTNUPj+VUaYVjoeX32ZYE
MHsxeVDcMSw4Fl5y12GDWlDqdhmomdlS2hOgeXDr21jRcP7kabTg92GvP08hnIIz
1aEGAgRcD80YogQCAhwgpAYEBAEAAACuBgIEeKP8gQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-
CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256
-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-S
HA256:ECDHE-ECDSA-AES256-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:
RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA
1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+
SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:
RSA+SHA1
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
---
No server certificate CA names sent
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_client -connect localhost:8443 -cert "C:\temp\cert.pem"
-key "C:\temp\key.pem" -CAfile "C:\temp\cacert1.pem"
CONNECTED(00000108)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
verify return:1
---
Certificate chain
0 s:CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
i:CN = MyTestCA
1 s:CN = MyTestCA
i:CN = MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xODEyMTAxNTI2MjRaFw0xOTEyMTAxNTI2MjRaMFAxFjAUBgNVBAMM
DTE5Mi4xNjguMS4xMTIxCzAJBgNVBAgMAlJVMQswCQYDVQQGEwJSVTENMAsGA1UE
CgwERVBBTTENMAsGA1UECwwERVBBTTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALwy/2dxLMj4JjK8ggj/a9VG8beD5aBwjGu4+uXnQ5Liesfx1HE4seG2
Fr5j0aBz+vf0Km1Vf6S6yln/Z3BhI0nPKlGJvHjtwzof15pNH6Qh1WDlXRqOhoLR
GWtAb/U56ZC3PAG78nmdkS2DUCEFnERwcTWqW/XxpgYnGX0rPBtUGdKQB5rVaSCk
wM4UwEr9hq90BfeUuUZREzrZT7l+zxvgBPOR3H+Z2bS1TIqHjiH6jnC41M/S9KEb
8jn+2JjeR1NrIPdSy++hXc5UoWJMqCWu5PLOhheHHqDTS2MU8nHXL3KctH8qTzaz
+FQwbPNZgQKRTIdaRpxB1y3EUFC2B1cCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEB
ABVn9/RUDWW+QaD97uFiMrdWXlaSSbg/YJuKYg+HXX2SO4ZsLRgU+ycyiTrq1E8W
vqP3BSyQ+Ao7tMzmAUWltcmKtETnO9jX6XN6pktCDfV2NPfq6zc/txH+6QDgrP/I
qwF6Csqch7TcVBzLJ2nI4k/6bNVttzgDNK0B7KTvtQIOBu53WQlPHQSyELwBocAS
NZrdy4FrJ0lMtno3WIcQEmy6XcRDULBWuWVjr0THQ+DstIXkX/qvkI08eRaIjaur
hc2enws5KjuXYX6ernqsOMWwOspUwETiGtKEl4sRApnwQz7vlOpU5W7bF7lpRycL
mDbOMf+6KxHOktQF4LJRyYE=
-----END CERTIFICATE-----
subject=CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
issuer=CN = MyTestCA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2060 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1FB4C4A756AF733EA4819D8350B4B66E5568DCB1C598D08D4B7C657C13F4EC78
Session-ID-ctx:
Resumption PSK: 55578B334D92C9CDBE66FA20C7D0A9BF55F0E50F37F026BD08BC69908EA1826DE75ACD1E6F3C365777DB890967420469
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e a.K....t........
0010 - d7 13 91 f5 d2 9e 30 e7-57 61 a3 4a 50 8f ac fc ......0.Wa.JP...
0020 - 9b b1 17 5f 45 4b 79 fa-57 62 5c 41 eb 17 26 a1 ..._EKy.Wb\A..&.
0030 - 90 3f 3e b0 65 fa a3 ff-3b d2 da 3c 4b 38 d4 ef .?>.e...;..<K8..
0040 - 11 d5 a9 59 69 37 97 f4-2e 84 2c ec 28 aa 7b 92 ...Yi7....,.(.{.
0050 - a5 50 91 40 8d 9e 83 90-a0 5d f7 41 5c d6 ba 8b .P.@.....].A\...
0060 - 32 b9 47 cf 58 dc 72 26-6a ca ea 71 2f ee c6 5b 2.G.X.r&j..q/..[
0070 - e7 ee bf 0d 68 0e 0c 32-4d 24 8e 91 73 5e 1d 9f ....h..2M$..s^..
0080 - ed 5a 6f 51 6e bc 7f ba-5e e7 25 3f a9 ad 91 0b .ZoQn...^.%?....
0090 - b7 26 17 1c 6b 89 11 e3-40 77 5f 38 59 98 64 dc .&..k...@w_8Y.d.
00a0 - d9 3b d3 ff 1d ca 6f c6-df e5 e6 8c db 1e 25 4c .;....o.......%L
00b0 - 50 b6 d5 e5 82 26 04 6e-b3 ca 11 95 d0 92 05 8e P....&.n........
00c0 - 60 a6 a8 a7 fe 3a 18 93-0f 8d 17 4d 2e a2 ce 69 `....:.....M...i
Start Time: 1544539416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 658363DA6FF899DD69009F26444543E1E839BBF0ACAE5288FD0BA019084F141A
Session-ID-ctx:
Resumption PSK: 7B317950DC312C38165E72D761835A50EA7619A899D952DA13A07970EBDB58D170FEE469B4E0F761AF3F4F219C8233D5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e a.K....t........
0010 - 20 3b a8 d4 62 e7 56 9a-42 36 02 81 2a 48 d2 94 ;..b.V.B6..*H..
0020 - a8 0b 21 aa ca 0a b1 60-a5 17 c7 4f a5 44 0e b7 ..!....`...O.D..
0030 - 42 bf 1d 7e b5 f2 a9 8e-f4 5d ff 5c 9b c8 b8 c0 B..~.....].\....
0040 - 19 d2 4e 5a f8 df 1b 96-bb f6 52 a4 eb 35 d5 fa ..NZ......R..5..
0050 - a5 c6 16 f2 ae a7 49 9d-f5 fd da 52 8e 9e a4 b3 ......I....R....
0060 - 14 93 cd 71 dc f6 66 ea-f6 69 d8 19 05 ce c0 61 ...q..f..i.....a
0070 - 39 83 7f d1 5f d9 ed 1d-92 f7 92 2d 59 5d 8d 7e 9..._......-Y].~
0080 - 77 43 30 67 aa f4 78 5e-02 20 a2 59 f4 b4 04 40 wC0g..x^. .Y...@
0090 - a8 6b 11 40 0c 03 4d 36-26 36 d2 a7 13 20 f2 3b .k.@..M6&6... .;
00a0 - e8 43 00 ca 65 30 6b 6b-1c 58 b9 7d 0d 89 b3 dc .C..e0kk.X.}....
00b0 - 2a 07 77 3a 7e 99 a3 e1-7e 35 09 fd e3 7a 7a a7 *.w:~...~5...zz.
Start Time: 1544539416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Брокер перезапускается через * .bat файлы:
Служба RabbitMQ - запуск
Служба RabbitMQ - остановка
Статус службы:
C:\Program Files\RabbitMQ Server\rabbitmq_server-3.7.7\sbin>rabbitmqctl status
Status of node rabbit@WIN-055QHB70C6Q ...
[{pid,2192},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.7.7"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.7.7"},
{cowboy,"Small, fast, modern HTTP server.","2.2.2"},
{amqp_client,"RabbitMQ AMQP Client","3.7.7"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.7.7"},
{rabbit,"RabbitMQ","3.7.7"},
{rabbit_common,
"Modules shared by rabbitmq-server and rabbitmq-erlang-client",
"3.7.7"},
{recon,"Diagnostic tools for production use","2.3.2"},
{ranch_proxy_protocol,"Ranch Proxy Protocol Transport","1.5.0"},
{ranch,"Socket acceptor pool for TCP protocols.","1.5.0"},
{ssl,"Erlang/OTP SSL application","9.0"},
{public_key,"Public key infrastructure","1.6"},
{mnesia,"MNESIA CXC 138 12","4.15.4"},
{asn1,"The Erlang ASN1 compiler version 5.0.6","5.0.6"},
{os_mon,"CPO CXC 138 46","2.4.5"},
{cowlib,"Support library for manipulating Web protocols.","2.1.0"},
{inets,"INETS CXC 138 49","7.0"},
{jsx,"a streaming, evented json parsing toolkit","2.8.2"},
{xmerl,"XML parser","1.3.17"},
{crypto,"CRYPTO","4.3"},
{lager,"Erlang logging framework","3.6.3"},
{goldrush,"Erlang event stream processor","0.1.9"},
{compiler,"ERTS CXC 138 10","7.2"},
{syntax_tools,"Syntax tools","2.1.5"},
{syslog,"An RFC 3164 and RFC 5424 compliant logging framework.","3.4.2"},
{sasl,"SASL CXC 138 11","3.2"},
{stdlib,"ERTS CXC 138 10","3.5"},
{kernel,"ERTS CXC 138 10","6.0"}]},
{os,{win32,nt}},
{erlang_version,
"Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:64
]\n"},
{memory,
[{connection_readers,0},
{connection_writers,0},
{connection_channels,0},
{connection_other,31988},
{queue_procs,0},
{queue_slave_procs,0},
{plugins,465588},
{other_proc,29769468},
{metrics,195780},
{mgmt_db,150248},
{mnesia,74600},
{other_ets,2872488},
{binary,169712},
{msg_index,30080},
{code,27499185},
{atom,1131721},
{other_system,9895974},
{allocated_unused,9764240},
{reserved_unallocated,0},
{strategy,rss},
{total,[{erlang,72286832},{rss,82051072},{allocated,82051072}]}]},
{alarms,[]},
{listeners,
[{clustering,25672,"::"},
{amqp,5672,"::"},
{amqp,5672,"0.0.0.0"},
{http,15672,"::"},
{http,15672,"0.0.0.0"}]},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,1717772288},
{disk_free_limit,50000000},
{disk_free,74446868480},
{file_descriptors,
[{total_limit,8092},
{total_used,2},
{sockets_limit,7280},
{sockets_used,0}]},
{processes,[{limit,1048576},{used,398}]},
{run_queue,1},
{uptime,82},
{kernel,{net_ticktime,60}}]