Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1484547 - TLS for Internal services for RabbitMQ
Summary: TLS for Internal services for RabbitMQ
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 12.0 (Pike)
Assignee: John Eckersberg
QA Contact: Artem Hrechanychenko
URL:
Whiteboard:
Depends On: 1484601 1510144 1484499 1484506 1484512 1484517 1484520 1484521 1484524 1484531 1484535 1484542 1486759 1486766
Blocks: 1484550
TreeView+ depends on / blocked
 
Reported: 2017-08-23 20:21 UTC by atelang
Modified: 2019-04-10 13:58 UTC (History)
36 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.4-0.20171108052223.6ae90da.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1484542
: 1484550 (view as bug list)
Environment:
Last Closed: 2017-12-13 21:55:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC
OpenStack gerrit 498325 None None None 2017-11-13 06:58:15 UTC

Comment 8 John Eckersberg 2017-08-29 12:45:48 UTC
Upstream PR for puppet-rabbitmq - https://github.com/voxpupuli/puppet-rabbitmq/pull/574

Comment 9 John Eckersberg 2017-09-13 14:11:41 UTC
This is merged upstream and pulled into RDO, just needs to wait on next downstream sync.

Comment 16 Artem Hrechanychenko 2017-11-27 16:17:43 UTC
openstack-tripleo-heat-templates-7.0.3-13.el7ost.noarch

 sudo cat /var/log/pacemaker/bundles/rabbitmq-bundle-0/rabbitmq/rabbit@overcloud-controller-0.log |grep SSL
‎started SSL Listener on 172.17.1.18:5672
‎

[heat-admin@overcloud-controller-0 ~]$ openssl s_client -connect overcloud-controller-0.internalapi.redhat.local:5672
CONNECTED(00000003)
depth=1 O = REDHAT.LOCAL, CN = Certificate Authority
verify return:1
depth=0 O = REDHAT.LOCAL, CN = overcloud-controller-0.internalapi.redhat.local
verify return:1
---
Certificate chain
 0 s:/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
   i:/O=REDHAT.LOCAL/CN=Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIBFjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzEx
MjcxNTIzNTBaFw0xOTExMjgxNTIzNTBaMFExFTATBgNVBAoMDFJFREhBVC5MT0NB
TDE4MDYGA1UEAwwvb3ZlcmNsb3VkLWNvbnRyb2xsZXItMC5pbnRlcm5hbGFwaS5y
ZWRoYXQubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyqmJK
W1jXzfKx3ltZswDaDdBE3dPDnkiSPvWuWyKfWPLBoNTtutO7rdw7mYlo2wTMCTV+
rjaOMsm7mApLby0bDBKSMhKU4uxHd1QHKoWYaG9MsX7wwz5G3Q90tHTX5yRgSFpZ
OfugczJgm50WNIfoQTU1rEuktLeBJsICa2o8KwT77jspwnVsiSBZU+AKMQFLL9Xp
5fJxanGQINQKWOqV7FNHzb1NqUoWbqwrbtihG7wGILvLwi02EvK45gR4fW0cqbJu
9Q7D7nETKoVtxcHn9FYH6lBlNCwF4JfvypygiuAUfYGf+sMrle5kmNpY3hCwEQav
9Ju9WDlfADz9yGphAgMBAAGjggIoMIICJDAfBgNVHSMEGDAWgBQIMIhuYSdXuoR8
Z5k1RRi4HYLeoTA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9p
cGEtY2EucmVkaGF0LmxvY2FsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB3BgNVHR8EcDBuMGygNKAyhjBodHRw
Oi8vaXBhLWNhLnJlZGhhdC5sb2NhbC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFN9VbnOe3MR0mXyLGzE/z3IUGg+sMIH5BgNVHREEgfEwge6C
L292ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2Fs
oFUGCisGAQQBgjcUAgOgRwxFcmFiYml0bXEvb3ZlcmNsb3VkLWNvbnRyb2xsZXIt
MC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoGQGBisGAQUC
AqBaMFigDhsMUkVESEFULkxPQ0FMoUYwRKADAgEBoT0wOxsIcmFiYml0bXEbL292
ZXJjbG91ZC1jb250cm9sbGVyLTAuaW50ZXJuYWxhcGkucmVkaGF0LmxvY2FsMA0G
CSqGSIb3DQEBCwUAA4IBAQBl6LaEiB+8ny2T5KxkzFnFsT/JUq9lMSLhT0MVhLpj
aLHwyV2ObW3vttPfKJWdkKRQhi21xUojHvbZ7ZIhZiGKIu3qrNi9R9DJheey4W4C
Qw6OkFt2cQVkGdJgKfFiFTLw5Q6cXlZiINZVTGLu8J1lLUcaYYzk73BkMbDSbJ4Y
FvNMepweRKPqQv/0NUcu03gSRHlFb3M55A5ZQRomQLaIL3Tu5XcR7MQaFvd2Klsj
Fvgx239w+0XhRXSsvNKDMhcMlOlwGmrdNEj/lzZ9gWM2wZkDp/bNhFn2iCbmssr0
014pU3FGNm3KzF7tfY1+lOkz9CmG82LW932kRdsc3zZq
-----END CERTIFICATE-----
subject=/O=REDHAT.LOCAL/CN=overcloud-controller-0.internalapi.redhat.local
issuer=/O=REDHAT.LOCAL/CN=Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1834 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2FD55EBE050F1B913A78F7B533BCEADAF01FB6C0BAD0FFA678F79F7F2729A4E4
    Session-ID-ctx: 
    Master-Key: 60D705D3CFDD6D7FF94EC455FB7CAC6F88E8CBC3611E5B92CFAB80086E2E9913AF8DF1A0B3A6858AFABB230DE29BFE8E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1511799122
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Comment 17 Artem Hrechanychenko 2017-11-27 16:26:18 UTC
VERIFIED

Comment 20 errata-xmlrpc 2017-12-13 21:55:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462


Note You need to log in before you can comment on or make changes to this bug.