[meta-virtualization] Adding SSL support to RabbitMQ Server 3.2.4
Bruce Ashfield
bruce.ashfield at gmail.com
Wed Sep 19 01:20:27 PDT 2018
On Tue, Sep 18, 2018 at 10:00 PM, Phillip Warren <warrenphd at gmail.com> wrote:
> Multipost from [yocto] as I just realized [meta-virtualization] is probably
> the proper list for this question.
>
> Hi, rookie here. I'm trying to enable SSL for Management Plugin for RabbitMQ
> Server 3.2.4 on pyro.
>
> Without modifying the build, I simply created /etc/rabbitmq/rabbitmq.config
> with the following entries:
>
> [
>
> {rabbitmq_management,
>
> [
>
> {listener, [{port, 15671},
>
> {ip, "0.0.0.0"},
>
> {ssl, true},
>
> {ssl_opts, [{cacertfile, "/etc/rabbitmq/root-ca.pem"},
>
> {certfile, "/etc/rabbitmq/dev.pem"},
>
> {keyfile, "/etc/rabbitmq/dev-np.key"}]}]}
>
> ]}
>
> ].
>
>
> and placed the cacertfile, certfile, and keyfile at /etc/rabbitmq/
>
>
> RabbitMQ Server fails to start at boot.
> /var/log/rabbitmq/rabbitmq@{hostname}.log shows the following error:
>
>
> =ERROR REPORT==== 17-Sep-2018::20:13:16 ===
> ** Generic server rabbit_web_dispatch_registry terminating
> ** Last message in was {add,rabbit_mgmt,
> [{port,15671},
> {ip,"0.0.0.0"},
> {ssl,true},
> {ssl_opts,
> [{cacertfile,"/etc/rabbitmq/root-ca.pem"},
> {certfile,"/etc/rabbitmq/dcx-dev.pem"},
>
> {keyfile,"/etc/rabbitmq/dcx-dev-np.key"}]}],
> #Fun<rabbit_web_dispatch.1.73001898>,
> #Fun<rabbit_mgmt_app.2.77843060>,
> {[],"RabbitMQ Management"}}
> ** When Server state == undefined
> ** Reason for termination ==
> ** {could_not_start_listener,
> [{port,15671},
> {ip,"0.0.0.0"},
> {ssl,true},
> {ssl_opts,
> [{cacertfile,"/etc/rabbitmq/root-ca.pem"},
> {certfile,"/etc/rabbitmq/dcx-dev.pem"},
> {keyfile,"/etc/rabbitmq/dcx-dev-np.key"}]}],
> {'EXIT',
> {{case_clause,{error,{"no such file or
> directory","crypto.app"}}},
> [{mochiweb,ensure_started,1,
> [{file,"mochiweb-wrapper/mochiweb-git/src/mochiweb.erl"},
> {line,71}]},
> {mochiweb_socket_server,prep_ssl,1,
> [{file,
>
> "mochiweb-wrapper/mochiweb-git/src/mochiweb_socket_server.erl"},
> {line,139}]},
> {mochiweb_socket_server,start_server,2,
> [{file,
>
> "mochiweb-wrapper/mochiweb-git/src/mochiweb_socket_server.erl"},
> {line,130}]},
> {supervisor,do_start_child,2,
> [{file,"supervisor.erl"},{line,310}]},
> {supervisor,handle_start_child,2,
> [{file,"supervisor.erl"},{line,681}]},
>
> {supervisor,handle_call,3,[{file,"supervisor.erl"},{line,390}]},
> {gen_server,handle_msg,5,[{file,"gen_server.erl"},{line,585}]},
> {proc_lib,init_p_do_apply,3,
> [{file,"proc_lib.erl"},{line,239}]}]}}}
>
> After googling around, I'm going down the path of trying to build Erlang
> with SSL support. Please stop me if this isn't the proper approach!
>
> I clearly see in
> meta-cloud-services/meta-openstack/recipes-devtools/erlang/erlang-native_R16B03-1.bb
> a line that says:
>
> EXTRA_OECONF = '--without-ssl'
>
>
> To alter this statement, I wrote an erlang-native_R16B03-1.bbappend in my
> meta-layer and tried the following entries:
>
>
> *****************************************************************************************************
>
> DEPENDS += "ncurses-native openssl"
> EXTRA_OECONF = '--with-ssl=/usr/bin/openssl'
>
> This fails to build with the following error:
>
> configure: error: Invalid path to option --with-ssl=PATH
>
> configure: error: /bin/bash
> 'build/tmp/work/x86_64-linux/erlang-native/R16B03-1-r0/otp_src_R16B03-1/erts/configure'
> failed for erts
>
>
> *****************************************************************************************************
>
>
> DEPENDS += "ncurses-native openssl"
> EXTRA_OECONF = '--with-ssl'
>
>
> Builds successfully but produces the same error as above in
> /var/log/rabbitmq/rabbitmq@{hostname}.log
>
> *****************************************************************************************************
>
>
> DEPENDS += "ncurses-native openssl"
> EXTRA_OECONF = "--with-ssl=${STAGING_DIR_HOST}${layout_exec_prefix}"
>
> Builds successfully but produces the same error as above in
> /var/log/rabbitmq/rabbitmq@{hostname}.log
> *****************************************************************************************************
>
> DEPENDS += "ncurses-native openssl"
> EXTRA_OECONF = "--with-ssl use SSL"
>
> Builds successfully but produces the same error as above in
> /var/log/rabbitmq/rabbitmq@{hostname}.log
> *****************************************************************************************************
I can't say that I've enabled this, or tried it myself. But what you
need to keep in mind is that there seems to be different places you
seem to be getting the error. build time and then runtime.
You shouldn't need to modify the -native erlang recipe for your issue,
since that is what runs on the build process itself, what you
configure there should not creep into the runtime erlang (unless there
is some strange packaging going on .. I haven't looked recently). Or
is it that erlang native is the boostrap for the target erlang and
must have ssl enabled for it to make it into the runtime erlang ?
So my question is, have you tried modifying the target erlang versus
the -native erlang ?
For the build time, have you inspected the rabbitmq build itself to
see if how ssl was detected and built into the module you are looking
to add ?
For the runtime error, what you are configuring in the the build, is
not the location where ssl is going to be found on the target, so that
is why the error is being thrown about it not being found. The target
erlang may need an RDEPENDS added for ssl to make sure that it is
installed on the target in a location that can be found (there is
already a DEPENDS on ssl in the target erlang, so it may be taken care
of already).
Not much help, but some ideas to look into.
Bruce
>
> Detailed help is greatly appreciated. Seems like I'm missing something
> obvious.
>
> Best Regards,
> Phillip Warren
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
>
--
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"
More information about the meta-virtualization
mailing list