RabbitMQ TLS tls_connection:format_status / 2崩溃了

时间:2018-04-16 14:05:32

标签: ssl go erlang rabbitmq

我正在尝试使用Go进行简单的TLS连接,而RabbitMQ在尝试创建启用了TLS的连接时报告此问题(Go客户端):

rabbitmq_1  | 2018-04-16 13:37:54.146 [error] <0.537.0> ** State machine <0.537.0> terminating
rabbitmq_1  | ** Last event = {{call,{<0.362.0>,#Ref<0.2669730211.1202454530.228189>}},{new_user,<0.359.0>}}
rabbitmq_1  | ** When server state  = {error,"tls_connection:format_status/2 crashed"}
rabbitmq_1  | ** Reason for termination = error:function_clause
rabbitmq_1  | ** Callback mode = state_functions
rabbitmq_1  | ** Stacktrace =
rabbitmq_1  | **  [{tls_connection,gen_handshake,[error,{call,{<0.362.0>,#Ref<0.2669730211.1202454530.228189>}},{new_user,<0.359.0>},{{options,{keyfil$
,"/certificates/server_key.pem",{error,eacces}}},{state,server,{#Ref<0.2669730211.1202454530.228187>,<0.362.0>},gen_tcp,tls_connection,tcp,tcp_closed,$
cp_error,"localhost",5671,#Port<0.26641>,{ssl_options,tls,[{3,3},{3,2},{3,1}],verify_none,{#Fun<ssl.8.51913203>,[]},#Fun<ssl.9.51913203>,false,false,u$
defined,1,<<"/certificates/server_certificate.pem">>,undefined,<<"/certificates/server_key.pem">>,undefined,[],undefined,<<"/certificates/ca_certifica$
e.pem">>,undefined,undefined,undefined,undefined,undefined,[<<"�,">>,<<"�0">>,<<"�$">>,<<"�(">>,<<"�.">>,<<"�2">>,<<"�&">>,<<"�*">>,<<204,20>>,<<204,1$
>>,<<204,21>>,<<0,159>>,<<0,163>>,<<0,107>>,<<0,106>>,<<0,157>>,<<0,61>>,<<"�+">>,<<"�/">>,<<"�#">>,<<"�'">>,<<"�-">>,<<"�1">>,<<"�%">>,<<"�)">>,<<0,1$
8>>,<<0,162>>,<<0,103>>,<<0,64>>,<<0,156>>,<<0,60>>,<<"�\n">>,<<192,20>>,<<0,57>>,<<0,56>>,<<192,5>>,<<192,15>>,<<0,53>>,<<"�\t">>,<<192,19>>,<<0,51>>$
<<0,50>>,<<192,4>>,<<192,14>>,<<0,47>>,<<"�\b">>,<<192,18>>,<<0,22>>,<<0,19>>,<<192,3>>,<<"�\r">>,<<0,10>>],#Fun<ssl.2.51913203>,true,268435456,false,$
rue,infinity,false,undefined,undefined,undefined,undefined,true,undefined,[],undefined,false,true,one_n_minus_one,undefined,false,{ssl_crl_cache,{inte$
nal,[]}},[{sha512,ecdsa},{sha512,rsa},{sha384,ecdsa},{sha384,rsa},{sha256,ecdsa},{sha256,rsa},{sha224,ecdsa},{sha224,rsa},{sha,ecdsa},{sha,rsa},{sha,ds
a}],{elliptic_curves,[{1,3,132,0,39},{1,3,132,0,38},{1,3,132,0,35},{1,3,36,3,3,2,8,1,1,13},{1,3,132,0,36},{1,3,132,0,37},{1,3,36,3,3,2,8,1,1,11},{1,3,1
32,0,34},{1,3,132,0,16},{1,3,132,0,17},{1,3,36,3,3,2,8,1,1,7},{1,3,132,0,10},{1,2,840,10045,3,1,7},{1,3,132,0,3},{1,3,132,0,26},{1,3,132,0,27},{1,3,132
,0,32},{1,3,132,0,33},{1,3,132,0,24},{1,3,132,0,25},{1,3,132,0,31},{1,2,840,10045,3,1,1},{1,3,132,0,1},{1,3,132,0,2},{1,3,132,0,15},{1,3,132,0,9},{1,3,
132,0,8},{1,3,132,0,30}]},false,false,262144},{socket_options,binary,raw,0,0,false},#{current_read => #{beast_mitigation => one_n_minus_one,cipher_stat
e => undefined,client_verify_data => undefined,compression_state => undefined,mac_secret => undefined,secure_renegotiation => undefined,security_parame
ters => {security_parameters,<<0,0>>,0,0,0,0,0,0,0,0,0,0,0,undefined,undefined,undefined,undefined},sequence_number => 0,server_verify_data => undefine
d},current_write => #{beast_mitigation => one_n_minus_one,cipher_state => undefined,client_verify_data => undefined,compression_state => undefined,mac_
secret => undefined,secure_renegotiation => undefined,security_parameters => {security_parameters,<<0,0>>,0,0,0,0,0,0,0,0,0,0,0,undefined,undefined,und
efined,undefined},sequence_number => 0,server_verify_data => undefined},pending_read => #{beast_mitigation => one_n_minus_one,cipher_state => undefined
,client_verify_data => undefined,compression_state => undefined,mac_secret => undefined,secure_renegotiation => undefined,security_parameters => {secur
ity_parameters,undefined,0,undefined,undefined,undefined,undefined,undefined,undefined,undefined,undefined,undefined,undefined,undefined,undefined,<<90
,212,167,50,197,80,21,183,229,252,83,2,191,100,222,147,149,112,255,82,15,77,192,185,123,46,121,210,16,197,219,183>>,undefined},server_verify_data => un
defined},pending_write => #{beast_mitigation => one_n_minus_one,cipher_state => undefined,client_verify_data => undefined,compression_state => undefine
d,mac_secret => undefined,secure_renegotiation => undefined,security_parameters => {security_parameters,undefined,0,undefined,undefined,undefined,undef
ined,undefined,undefined,undefined,...},...}},...}}],...},...]
rabbitmq_1  | 2018-04-16 13:37:54.146 [error] <0.537.0> CRASH REPORT Process <0.537.0> with 0 neighbours crashed with reason: no function clause matchi
ng tls_connection:gen_handshake(error, {call,{<0.362.0>,#Ref<0.2669730211.1202454530.228189>}}, {new_user,<0.359.0>}, {{options,{keyfile,"/certificates
/server_key.pem",{error,eacces}}},{state,server,{#Ref<0.2669730211.1202454530.228187>,...},...}}) line 714
rabbitmq_1  | 2018-04-16 13:37:54.148 [error] <0.203.0> Supervisor tls_connection_sup had child undefined started with {tls_connection,start_link,undef
ined} at <0.537.0> exit with reason no function clause matching tls_connection:gen_handshake(error, {call,{<0.362.0>,#Ref<0.2669730211.1202454530.22818
9>}}, {new_user,<0.359.0>}, {{options,{keyfile,"/certificates/server_key.pem",{error,eacces}}},{state,server,{#Ref<0.2669730211.1202454530.228187>,...}
,...}}) line 714 in context child_terminated
rabbitmq_1  | 2018-04-16 13:37:54.148 [error] <0.360.0> Supervisor {<0.360.0>,ranch_acceptors_sup} had child {acceptor,<0.360.0>,1} started with ranch_acceptor:start_link({sslsocket,nil,{#Port<0.26210>,{config,{ssl_options,tls,[{3,3},{3,2},{3,1}],verify_none,{#Fun<ssl.8..>,...},...},...}}}, ranch_ssl,
 <0.359.0>) at <0.362.0> exit with reason {{function_clause,[{tls_connection,gen_handshake,[error,{call,{<0.362.0>,#Ref<0.2669730211.1202454530.228189>
}},{new_user,<0.359.0>},{{options,{keyfile,"/certificates/server_key.pem",{error,eacces}}},{state,server,{#Ref<0.2669730211.1202454530.228187>,<0.362.0
>},gen_tcp,tls_connection,tcp,tcp_closed,tcp_error,"localhost",5671,#Port<0.26641>,{ssl_options,tls,[{3,3},{3,2},{3,1}],verify_none,{#Fun<ssl.8.5191320
3>,[]},#Fun<ssl.9.51913203>,false,false,undefined,1,<<"/certificates/server_certifica...">>,...},...}}],...},...]},...} in context child_terminated

这是我的Go客户端:

package main

import (
  "fmt"
  "log"
  "crypto/tls"
  "crypto/x509"
  "io/ioutil"

  "github.com/streadway/amqp"
)

func failOnError(err error, msg string) {
  if err != nil {
    log.Fatalf("%s: %s", msg, err)
    panic(fmt.Sprintf("%s: %s", msg, err))
  }
}
func main() {

cfg := new(tls.Config)
cfg.RootCAs = x509.NewCertPool()

if ca, err := ioutil.ReadFile("/certificates/ca_certificate.pem"); err == nil {
  cfg.RootCAs.AppendCertsFromPEM(ca)
}

if cert, err := tls.LoadX509KeyPair("/certificates/client_certificate.pem", "/certificates/client_key.pem"); err == nil {
  cfg.Certificates = append(cfg.Certificates, cert)
}

conn, err := amqp.DialTLS("amqps://guest:guest@rabbitmq:5671", cfg)

failOnError(err, "Failed to connect to RabbitMQ")
defer conn.Close()

ch, err := conn.Channel()
failOnError(err, "Failed to open a channel")
defer ch.Close()

q, err := ch.QueueDeclare(
  "hello", // name
  false, // durable
  false, // delete when unused
  false, // exclusive
  false, // no-wait
  nil, // arguments
)
failOnError(err, "Failed to declare a queue")

msgs, err := ch.Consume(
 q.Name, // queue
 "", // consumer
 true, // auto-ack
 false, // exclusive
 false, // no-local
 false, // no-wait
 nil, // args
)
failOnError(err, "Failed to register a consumer")

forever := make(chan bool)

go func() {
  for d := range msgs {
    log.Printf("Received a message: %s", d.Body)
  }
}()

log.Printf(" [*] Waiting for messages. To exit press CTRL+C")
<-forever
}

这是我的RabbitMQ配置文件:

loopback_users.guest = false
listeners.tcp.default = 5672
hipe_compile = false
management.listener.port = 15672
management.listener.ssl = false

listeners.ssl.1 = 5671
ssl_options.cacertfile = /certificates/ca_certificate.pem
ssl_options.certfile = /certificates/server_certificate.pem
ssl_options.keyfile = /certificates/server_key.pem

我不知道Erlang,也没有关于RabbitMQ本身甚至TLS的经验,这个论坛帖子是我最接近这个问题的:

https://bugs.erlang.org/browse/ERL-539

任何可能导致这种情况的想法?

其他一些细节:

  • Erlang版:20
  • Erlang SSL版:20.2
  • RabbitMQ版本:3.7.4
  • 使用RabbitMQ的官方图片在docker-compose内运行
  • 我已根据official documentation建议使用 tls-gen 工具生成证书。

1 个答案:

答案 0 :(得分:0)

这一行:

"/certificates/server_key.pem",{error,eacces}

这意味着RabbitMQ无权读取该文件,因此运行:

chmod 0644 /certificates/server_key.pem

解决了这个问题。