search

rabbitmq / rabbitmq-management

RabbitMQ Management UI and HTTP API
https://www.rabbitmq.com/management.html
Other
370 stars 165 forks source link

TLS listener port is reported incorrectly by `rabbitmq-diagnostics listeners` #857

Closed michaelklishin closed 4 years ago

michaelklishin commented 4 years ago

Using the following rabbitmq.conf:

management.ssl.port = 15679

management.ssl.cacertfile = /path/to/tls-gen.git/basic/result/ca_certificate.pem
management.ssl.certfile = /path/to/tls-gen.git/basic/result/server_certificate.pem
management.ssl.keyfile = /path/to/tls-gen.git/basic/result/server_key.pem

management.http_log_dir = /tmp/

I observe the following effective configuration:

 {rabbitmq_management,
     [{content_security_policy,
          "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"},
      {cors_allow_origins,[]},
      {cors_max_age,1800},
      {http_log_dir,"/tmp/"},
      {load_definitions,none},
      {management_db_cache_multiplier,5},
      {process_stats_gc_timeout,300000},
      {ssl_config,
          [{cacertfile,
               "/path/to/tls-gen.git/basic/result/ca_certificate.pem"},
           {keyfile,
               "/path/to/tls-gen.git/basic/result/server_key.pem"},
           {certfile,
               "/path/to/tls-gen.git/basic/result/server_certificate.pem"},
           {port,15679}]},

so far so good. Unfortunately the port is not reported correctly by rabbitmq-diagnostics listeners:

rabbitmq-diagnostics listeners -s
# => …
# => Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)
# => …

but according to lsof -p, it is bound to:

beam.smp 44997 username  132u    IPv4 0x19a893bfd233a6c9       0t0                 TCP *:15672 (LISTEN)
beam.smp 44997 username  133u    IPv4 0x19a893bfd2a1de49       0t0                 TCP *:15679 (LISTEN)

Filing here because at first I thought the value was not picked up at all by the plugin.

Looks like #800 and #801 did not iron out all the issues after all.

michaelklishin commented 4 years ago

rabbit_networking:active_listeners/0 returns

 {listener,rabbit@moraine,https,"moraine",
           {0,0,0,0,0,0,0,0},
           15671,
           [{cowboy_opts,[{sendfile,false}]},
            {port,15671},
            {ssl,true},
            {ssl_opts,[{cacertfile,"/path/to/tls-gen.git/basic/result/ca_certificate.pem"},
                       {keyfile,"/path/to/tls-gen.git/basic/result/server_key.pem"},
                       {certfile,"/path/to/tls-gen.git/basic/result/server_certificate.pem"},
                       {port,15679}]}]},
lukebakken commented 4 years ago

@michaelklishin - https://www.pivotaltracker.com/story/show/135606833

lukebakken commented 4 years ago

How did you find this issue @michaelklishin ? It works when I use this configuration file: rabbitmq-tls.conf.txt

Output:

$ ./sbin/rabbitmq-diagnostics listeners
Asking node rabbit@shostakovich to report its protocol listeners ...
Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

I'll try next with a more minimal file like yours.

lukebakken commented 4 years ago

Even with a shorter configuration it appears to work correctly:

(23.1.1)lbakken@shostakovich ~/development/rabbitmq/umbrella/deps/rabbitmq_server_release (master %=)
$ ./sbin/rabbitmq-diagnostics listeners
Asking node rabbit@shostakovich to report its protocol listeners ...
Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
(23.1.1)lbakken@shostakovich ~/development/rabbitmq/umbrella/deps/rabbitmq_server_release (master %=)
$ ./sbin/rabbitmq-diagnostics listeners -s
Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Can't reproduce with 3.8.9 generic-unix, either. Closing!

michaelklishin commented 4 years ago

Using a generic UNIX build and the config above. I can try another machine later on.

xirius commented 4 years ago

@lukebakken The initial port in the first post is not the default port:

management.ssl.port = 15679

and in your own logs the reported port is the wrong one ! (it is a default port)

$ ./sbin/rabbitmq-diagnostics listeners
Asking node rabbit@shostakovich to report its protocol listeners ...
Interface: [::], port: **15671**, protocol: https, purpose: HTTP API over TLS (HTTPS)
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

It doesn't work for me either.

michaelklishin commented 4 years ago

"works" here could refer to the fact that the node does bind to the expected port. Only the listener registry reports the default value.

lukebakken commented 4 years ago

@xirius I was testing with port 15671 in my configuration files when apparently I should have been using a different value. I didn't think the value mattered, just that it didn't show up in the output.