Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1484547

Summary: TLS for Internal services for RabbitMQ
Product: Red Hat OpenStack Reporter: atelang <atelang>
Component: openstack-tripleo-heat-templatesAssignee: John Eckersberg <jeckersb>
Status: CLOSED ERRATA QA Contact: Artem Hrechanychenko <ahrechan>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: aavraham, amuller, apevec, asimonel, chrisw, cyril, derekh, eglynn, fdinitto, fpercoco, jeckersb, jliberma, josorior, jruzicka, jschluet, kbasil, lhh, mabrams, mburns, nkinder, nyechiel, ohochman, pkilambi, rhel-osp-director-maint, rhos-maint, rrasouli, sbaker, sclewis, shardy, srevivo, ssmolyak, tfreger, thiago, tvignaud, zaitcev, zbitter
Target Milestone: rcKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-7.0.4-0.20171108052223.6ae90da.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1484542
: 1484550 (view as bug list) Environment:
Last Closed: 2017-12-13 21:55:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1484601, 1510144, 1484499, 1484506, 1484512, 1484517, 1484520, 1484521, 1484524, 1484531, 1484535, 1484542, 1486759, 1486766    
Bug Blocks: 1484550    

Comment 8 John Eckersberg 2017-08-29 12:45:48 UTC
Upstream PR for puppet-rabbitmq - https://github.com/voxpupuli/puppet-rabbitmq/pull/574

Comment 9 John Eckersberg 2017-09-13 14:11:41 UTC
This is merged upstream and pulled into RDO, just needs to wait on next downstream sync.

Comment 16 Artem Hrechanychenko 2017-11-27 16:17:43 UTC
openstack-tripleo-heat-templates-7.0.3-13.el7ost.noarch

 sudo cat /var/log/pacemaker/bundles/rabbitmq-bundle-0/rabbitmq/rabbit@overcloud-controller-0.log |grep SSL
‎started SSL Listener on 172.17.1.18:5672
‎

[heat-admin@overcloud-controller-0 ~]$ openssl s_client -connect overcloud-controller-0.internalapi.redhat.local:5672
CONNECTED(00000003)
depth=1 O = REDHAT.LOCAL, CN = Certificate Authority
verify return:1
depth=0 O = REDHAT.LOCAL, CN = overcloud-controller-0.internalapi.redhat.local
verify return:1
---
Certificate chain
 0 s:/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
   i:/O=REDHAT.LOCAL/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIBFjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzEx
MjcxNTIzNTBaFw0xOTExMjgxNTIzNTBaMFExFTATBgNVBAoMDFJFREhBVC5MT0NB
TDE4MDYGA1UEAwwvb3ZlcmNsb3VkLWNvbnRyb2xsZXItMC5pbnRlcm5hbGFwaS5y
ZWRoYXQubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyqmJK
W1jXzfKx3ltZswDaDdBE3dPDnkiSPvWuWyKfWPLBoNTtutO7rdw7mYlo2wTMCTV+
rjaOMsm7mApLby0bDBKSMhKU4uxHd1QHKoWYaG9MsX7wwz5G3Q90tHTX5yRgSFpZ
OfugczJgm50WNIfoQTU1rEuktLeBJsICa2o8KwT77jspwnVsiSBZU+AKMQFLL9Xp
5fJxanGQINQKWOqV7FNHzb1NqUoWbqwrbtihG7wGILvLwi02EvK45gR4fW0cqbJu
9Q7D7nETKoVtxcHn9FYH6lBlNCwF4JfvypygiuAUfYGf+sMrle5kmNpY3hCwEQav
9Ju9WDlfADz9yGphAgMBAAGjggIoMIICJDAfBgNVHSMEGDAWgBQIMIhuYSdXuoR8
Z5k1RRi4HYLeoTA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9p
cGEtY2EucmVkaGF0LmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRw
Oi8vaXBhLWNhLnJlZGhhdC5sb2NhbC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFN9VbnOe3MR0mXyLGzE/z3IUGg+sMIH5BgNVHREEgfEwge6C
L292ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2Fs
oFUGCisGAQQBgjcUAgOgRwxFcmFiYml0bXEvb3ZlcmNsb3VkLWNvbnRyb2xsZXIt
MC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoGQGBisGAQUC
AqBaMFigDhsMUkVESEFULkxPQ0FMoUYwRKADAgEBoT0wOxsIcmFiYml0bXEbL292
ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0G
CSqGSIb3DQEBCwUAA4IBAQBl6LaEiB+8ny2T5KxkzFnFsT/JUq9lMSLhT0MVhLpj
aLHwyV2ObW3vttPfKJWdkKRQhi21xUojHvbZ7ZIhZiGKIu3qrNi9R9DJheey4W4C
Qw6OkFt2cQVkGdJgKfFiFTLw5Q6cXlZiINZVTGLu8J1lLUcaYYzk73BkMbDSbJ4Y
FvNMepweRKPqQv/0NUcu03gSRHlFb3M55A5ZQRomQLaIL3Tu5XcR7MQaFvd2Klsj
Fvgx239w+0XhRXSsvNKDMhcMlOlwGmrdNEj/lzZ9gWM2wZkDp/bNhFn2iCbmssr0
014pU3FGNm3KzF7tfY1+lOkz9CmG82LW932kRdsc3zZq
-----END CERTIFICATE-----
subject=/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
issuer=/O=REDHAT.LOCAL/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1834 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2FD55EBE050F1B913A78F7B533BCEADAF01FB6C0BAD0FFA678F79F7F2729A4E4
    Session-ID-ctx: 
    Master-Key: 60D705D3CFDD6D7FF94EC455FB7CAC6F88E8CBC3611E5B92CFAB80086E2E9913AF8DF1A0B3A6858AFABB230DE29BFE8E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1511799122
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Comment 17 Artem Hrechanychenko 2017-11-27 16:26:18 UTC
VERIFIED

Comment 20 errata-xmlrpc 2017-12-13 21:55:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462