使用SSL / TLS将Celery(Django)连接到RabbitMQ

时间:2018-06-22 12:22:00

标签: python django ssl rabbitmq celery

此问题与49320158有关,我将尝试提供更多详细信息。

我正在尝试遵循教程First Step with Django,但是我需要添加TLS / SSL才能连接到RabbitMQ服务器v3.7.4。

我已经用pika 11.2测试了我的证书,并且可以连接。

但是celery无法连接,rabbitmq说'没有对等证书'。

如何指定或确保芹菜发出证书?

仅我的settings.py芹菜设置(django):

# celery settings    
SSL_DIR = os.path.normpath(os.path.join(BASE_DIR, '../../ssl/client'))    
CELERY_BROKER_USE_SSL = {    
      'keyfile': SSL_DIR + '/user-key.pem',    
      'certfile': SSL_DIR + '/user-cert.pem',    
      'ca_certs': SSL_DIR + '/default_cacert.pem',    
      'cert_reqs': ssl.CERT_REQUIRED                                            
}    
CELERY_BROKER_LOGIN_METHOD = "EXTERNAL"    
CELERY_BROKER_URL = 'amqps://user@rabbitmqserver/vhost'    

我的celery.py:

from __future__ import absolute_import, unicode_literals                    
import os                                                                   
import ssl                                                                  
from celery import Celery                                                   

os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'webui.settings')           

app = Celery('webui')                                                       

app.config_from_object('django.conf:settings',                              
                    silent=False, force=True, namespace='CELERY')           

PROJ_DIR = os.path.dirname(os.path.dirname(__file__))                       
BASE_DIR = os.path.normpath(os.path.join(PROJ_DIR, '../../ssl/client'))                    
cert_conf = {                                                               
    "ca_certs": BASE_DIR + "default-cacert.pem",                            
    "certfile": BASE_DIR + "user-cert.pem",                            
    "keyfile": BASE_DIR + "user-key.pem",                              
    "cert_reqs": ssl.CERT_REQUIRED                                          
}                                                                           
# try manually setting the BROKER_USE_SSL                                         
app.conf.update(BROKER_USE_SSL=cert_conf)          

# try enabling message signing, too                                                                            
app.conf.update(                                                            
    security_key=BASE_DIR+'user-key.pm',                               
    security_certificate=BASE_DIR+'user-cert.pem',                     
    security_cert_store=BASE_DIR+'*.pem',                                   
)                                                                           
app.setup_security()                                                        

# Load task modules from all registered Django app configs.                 
app.autodiscover_tasks()                                                    


@app.task(bind=True)                                                        
def debug_task(self):                                                       
    print('Request: {0!r}'.format(self.request))                            

芹菜堆栈跟踪:

[2018-06-22 12:04:07,628: CRITICAL/MainProcess] Unrecoverable error: AccessRefused(403, u'ACCESS_REFUSED - Login was refused using authentication mechanism EXTERNAL. For details see the broker logfile.', (0, 0), u'')
Traceback (most recent call last):
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/worker/worker.py", line 205, in start
    self.blueprint.start(self)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/bootsteps.py", line 119, in start
    step.start(parent)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/bootsteps.py", line 369, in start
    return self.obj.start()
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/worker/consumer/consumer.py", line 322, in start
    blueprint.start(self)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/bootsteps.py", line 119, in start
    step.start(parent)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/worker/consumer/connection.py", line 23, in start
    c.connection = c.connect()
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/worker/consumer/consumer.py", line 409, in connect
    conn = self.connection_for_read(heartbeat=self.amqheartbeat)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/worker/consumer/consumer.py", line 416, in connection_for_read
    self.app.connection_for_read(heartbeat=heartbeat))
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/celery/worker/consumer/consumer.py", line 440, in ensure_connected
    callback=maybe_shutdown,
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/kombu/connection.py", line 405, in ensure_connection
    callback)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/kombu/utils/functional.py", line 332, in retry_over_time
    return fun(*args, **kwargs)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/kombu/connection.py", line 261, in connect
    return self.connection
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/kombu/connection.py", line 802, in connection
    self._connection = self._establish_connection()
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/kombu/connection.py", line 757, in _establish_connection
    conn = self.transport.establish_connection()
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/kombu/transport/pyamqp.py", line 130, in establish_connection
    conn.connect()
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/connection.py", line 308, in connect
    self.drain_events(timeout=self.connect_timeout)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/connection.py", line 491, in drain_events
    while not self.blocking_read(timeout):
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/connection.py", line 497, in blocking_read
    return self.on_inbound_frame(frame)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/method_framing.py", line 55, in on_frame
    callback(channel, method_sig, buf, None)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/connection.py", line 501, in on_inbound_method
    method_sig, payload, content,
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/abstract_channel.py", line 128, in dispatch_method
    listener(*args)
  File "/home/username/.virtualenvs/edi/local/lib/python2.7/site-packages/amqp/connection.py", line 623, in _on_close
    (class_id, method_id), ConnectionError)
AccessRefused: (0, 0): (403) ACCESS_REFUSED - Login was refused using authentication mechanism EXTERNAL. For details see the broker logfile.

rabbitmq.conf:

listeners.ssl.default = 0.0.0.0:5671
ssl_options.cacertfile = /etc/rabbitmq/ssl/server/default-cacert.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server/rabbitmqserver-cert.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/server/rabbitmqserver-key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.depth = 2
ssl_options.versions.1 = tlsv1.2
ssl_options.versions.2 = tlsv1.1
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
ssl_options.secure_renegotiate = true
ssl_cert_login_from = common_name

auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL

log.syslog.level = info
log.file.level = info

RabbitMQ日志:

2018-06-22 20:04:07.604 [info] <0.22240.0> accepting AMQP connection         <0.22240.0> (192.168.56.1:43780 -> 192.168.56.252:5671)
2018-06-22 20:04:07.607 [error] <0.22240.0> Error on AMQP connection <0.22240.0> (192.168.56.1:43780 -> 192.168.56.252:5671, state: starting):
EXTERNAL login refused: no peer certificate
2018-06-22 20:04:07.608 [info] <0.22240.0> closing AMQP connection <0.22240.0> (192.168.56.1:43780 -> 192.168.56.252:5671)

0 个答案:

没有答案