I am using self signed certificates in my Rabbitmq server and the broker is started successfully with SSL port. I am now trying to renew / use new SSL certificates, SSL key and truststore but I do not want to restart the running rabbitmq server as my application should run continously. I checked online for solutions to refresh / reload the erlang/rabbitmq on the runtime to read/reload these new SSL certificates and I stumbled upon few links where they suggested to use - rabbitmqctl eval "ssl:stop(), ssl:start()." to reload certs.
The command worked fine and the new SSL certs were refreshed without rabbitmq restart, but the Consumers / connections were RESET because of which my application cannot read the messages from the queues anymore.
Can you please help me with this issue? I like to reload the new SSL certificates without restarting my rabbitmq or application and the rabbitmq must work fine with my application without any connection reset.
If not kindly suggest me on how to re-establish the connections back again so that my application runs as expected.
Turns out newer versions of Erlang auto-update their PEM cache, so all you need to do is put the new certificate in place and then wait for a few minutes.
If you need to force the use of the new certificate sooner, you can use
rabbitmqctl eval 'ssl:clear_pem_cache().'
And this will reload the certificate without disconnecting any publishers or consumers.
Related
I'm trying to setup a very basic wordpress setup as explained in this document: https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk
And cloud sql proxy is giving me certificate errors:
esonika#cloudshell:~ (esonika)$ k logs wordpress-8d7998ccd-xnfn9 -c cloudsql-proxy
2022/12/30 10:43:38 using credential file for authentication; email=cloudsql-proxy#esonika.iam.gserviceaccount.com
2022/12/30 10:43:38 Listening on 127.0.0.1:3306 for esonika:europe-west9:mysql-wordpress-instance
2022/12/30 10:43:38 Ready for new connections
2022/12/30 10:44:01 New connection for "esonika:europe-west9:mysql-wordpress-instance"
2022/12/30 10:44:02 couldn't connect to "esonika:europe-west9:mysql-wordpress-instance": x509: certificate is valid for 38-968d77ed-a928-4b25-97d3-5451b5f3c670.europe-west9.sql.goog, not esonika:mysql-wordpress-instance
I dont know why a certificate such as "38-968d77ed-a928-4b25-97d3-5451b5f3c670.europe-west9.sql.goog" is created and where.
Tried resetting ssl configurations and it didn't work.
Usually, if you don't explicitly set a SSL connection on your Cloud SQL instance, the communication with the database is in plain text.
EXCEPT when you create a tunnel with Cloud SQL proxy. This time, a secure connection is created, with encrypted data. The encryption is ensure by this automatically and ephemeral certificate created by the proxy.
Here is a doc which might help you in connecting to Cloud SQL from GKE using sidecar pods.
Thanks, The document doesn't list anything that I haven't tried. I think there is an internal issue with cloud_sql_proxy, that's why I decided to switch Cloud SQL to a private network only and wordpress pod is directly connecting to Cloud SQL private IP.
I was running into the same issue around the time you posted this question. I also reset SSL configuration on the DB like you did. My solution was upgrading from the version 1.11 to 1.33.2. It resolved all of the x509 errors. No clue why it suddenly stopped working.
I am using SSL self signed certificates to connect MQTT in rabbit MQ broker. Now I need to update them runtime without restarting server. Rabbit MQ trust store gives good solutions for this, but it read only CA certificate from local whitelisted folder or http endpoint. I need to take server certificate and server key from external whitelisted folder or http endpoint. Can I do this using rabbitmq-trust-store plugin or else have any other solution for this.
No need to restart server. Put the new certificate in correct place and wait for a few minutes. Certificates automatically update.
Is it possible to use Kafka with SSL encryption but with no server verification nor client authentication?
I know that by default the latter is disabled, but is it possible to also disable the former?
I encountered the similar problem. Since kafka is a java process, it will load the default jdk certs when running, which is under /usr/local/jdk/jre/lib/security/cacerts. if your server is trusted there, (in my scenario, my kakfa server is MSK, and is trusted already), then you don't have to config all the keys and certs.
So all in all, I only added kafka config of security.protocol=SSL and it worked.
We have 5 Service Fabric nodes running 2 applications in 4 environments in Azure. Our Network team wanted to switch out our cluster certificate so they generated a new one (I believe in the key vault) and swapped it to primary. We updated our project to use the new cert's thumbprint. We successfully authenticated to the cluster and deployed (via Visual Studio) using the new cert, but now the application will not activate. The error we are seeing is:
System.Hosting' reported Error for property 'Activation:1.0:1.0:131965678558388988'.
There was an error during activation.There is already a certificate with thumbprint 123oldCertNumber bound to port 200appPort. New certificate thumbprint specified: 321newCertNumber
Additionally, we tried deleting the old cert which is now in the secondary slot, but it just processes for hours saying "Cluster is updating user certificate." and eventually fails to delete the cert.
Any help would be greatly appreciated!
Here's what worked for me:
I deleted all applications, but did not unprovision them. I then reset all nodes to clear them out. Then I deleted the old cert - this time it worked. I redeployed and viola, it activated no problem. Well, almost, I have one node that is stuck with the same error message. I've tried deleting data and resetting it, but haven't been able to clear it yet.
If both of you applications were using the old certificate then you may have encountered a problem described in documentation describing Upgrading multiple applications with HTTPS endpoints.
When the first application goes to update it will fail to configure the HTTPS port with the new certificate, since the second application is still running and has already configured the HTTPS port with the old certificate. The only path forward is to remove both applications that are sharing the port and then upgrade.
For this reason you may want to consider approaches to prevent this problem in the future. You could:
Combine services from the two applications into a single application, or
Run each application on a different port.
I just finished upgrading my applications to use a new cert and here is what you must do.
I have 3 applications using the one cert.
Instructions
In the Application Manifest, I removed the binding
from 2 of my 3 applications. It is important that you do not remove the binding from all of your apps at once.
I then redeployed the 2 apps with the binding removed.
I updated the 3rd Application with the new cert and redeployed
i then added back the binding in the other 2 applications and updated them to use the new cert and redeployed.
That was all that was needed.
Here is a link to the solution
Renew endpoint certificate
I am trying to connect Slack over a corporate network using a proxy and it gets blocked on the SSL interception. It gets stuck at:
DEBUG slack rtm start with options: {}
How to make it go through SSL interception? Is there a way to make Hubot trust SSL certificate?
One way is that you can skip the SSL by setting the environment variable called NODE_TLS_REJECT_UNAUTHORIZED as zero. This will skip the SSL. eg - for windows execute the following in your command prompt:
set NODE_TLS_REJECT_UNAUTHORIZED=0
Then run your process as usual