openstack/openstack-ansible
Code Issues Proposed changes

Additional RabbitMQ SSL fixes

Browse Source 
This patch fixes two problems with RabbitMQ's SSL/TLS listener.

* When self-signed certificates are used, the CA cert isn't created, but it's
  included with the RabbitMQ server config anyway (bug 1507364).

* Self-signed certificates are owned by root within RabbitMQ's configuration
  directory and are unreadable by RabbitMQ. User-provided certificates aren't
  affected (bug 1506992).

Closes-bug: 1506992
Closes-bug: 1507364

Change-Id: If4f6a325eea4772f2fad4604785241b67adfaaf6
This commit is contained in:
Major Hayden 2015-10-18 14:00:31 -05:00
parent 617f44170b
commit d7031f954d
3 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
playbooks/roles/rabbitmq_server/tasks/rabbitmq_ssl_key_create.yml
View File

@ -35,3 +35,14 @@
creates={{ rabbitmq_ssl_cert }}
tags:
- rabbitmq-ssl
- name: Ensure rabbitmq user owns the self-signed key and certificate
file:
path: "{{ item }}"
owner: rabbitmq
group: rabbitmq
with_items:
- "{{ rabbitmq_ssl_key }}"
- "{{ rabbitmq_ssl_cert }}"
tags:
- rabbitmq-ssl

11
playbooks/roles/rabbitmq_server/tasks/rabbitmq_ssl_key_distribute.yml
View File

@ -31,3 +31,14 @@
delay: 2
tags:
- rabbitmq-ssl
- name: Ensure rabbitmq user owns the self-signed key and certificate
file:
path: "{{ item }}"
owner: rabbitmq
group: rabbitmq
with_items:
- "{{ rabbitmq_ssl_key }}"
- "{{ rabbitmq_ssl_cert }}"
tags:
- rabbitmq-ssl

2
playbooks/roles/rabbitmq_server/templates/rabbitmq.config.j2
View File

@ -4,7 +4,7 @@
{ssl_listeners, [5671]},
{ssl_options, [{certfile,"{{ rabbitmq_ssl_cert }}"},
{keyfile,"{{ rabbitmq_ssl_key }}"},
{% if rabbitmq_ssl_ca_cert is defined -%}
{% if rabbitmq_user_ssl_ca_cert is defined -%}
{cacertfile,"{{ rabbitmq_ssl_ca_cert }}"},
{% endif -%}
{versions, ['tlsv1.2', 'tlsv1.1']},