I have installed logstash on 2 nodes to send the logs to RabbitMQ. SSL is configured on RabbitMQ listening 5671 port. I have configured both the logstash to push the logs to rabbitmq server on the 5671 port.
This is my configuration.
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:system_auth_timestamp} %{SYSLOGHOST:system_auth_hostname} %{GREEDYDATA:command_issued}: %{GREEDYDATA:message}" }
add_tag => "syslog"
}
}
output {
rabbitmq {
exchange => "elasticsearch-exchange"
exchange_type => "direct"
key => "logstash-routing_key"
ssl => true
#verify_ssl => true
ssl_certificate_password => 'Password'
ssl_certificate_path => 'certfile'
ssl_version => "TLSv1.2"
host => "10.2.0.0"
vhost => "es_vhost"
durable => true
persistent => true
port => 5671
user => "admin"
password => "password"
heartbeat => "5"
}
stdout {
codec => rubydebug
}
}
This is the error I am getting in the logstash log.
{:timestamp=>"2017-12-26T07:22:32.708000+0000", :message=>"Pipeline aborted due to error", :exception=>java.util.concurrent.TimeoutException, :backtrace=>["com.rabbitmq.utility.BlockingCell.get(com/rabbitmq/utility/BlockingCell.java:77)", "com.rabbitmq.utility.BlockingCell.uninterruptibleGet(com/rabbitmq/utility/BlockingCell.java:111)", "com.rabbitmq.utility.BlockingValueOrException.uninterruptibleGetValue(com/rabbitmq/utility/BlockingValueOrException.java:37)", "com.rabbitmq.client.impl.AMQChannel$BlockingRpcContinuation.getReply(com/rabbitmq/client/impl/AMQChannel.java:367)", "com.rabbitmq.client.impl.AMQConnection.start(com/rabbitmq/client/impl/AMQConnection.java:293)", "com.rabbitmq.client.ConnectionFactory.newConnection(com/rabbitmq/client/ConnectionFactory.java:648)", "com.rabbitmq.client.ConnectionFactory.newConnection(com/rabbitmq/client/ConnectionFactory.java:678)", "java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:498)", "RUBY.new_connection_impl(/opt/logstash/vendor/bundle/jruby/1.9/gems/march_hare-2.15.0-java/lib/march_hare/session.rb:505)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:281)", "RUBY.converting_rjc_exceptions_to_ruby(/opt/logstash/vendor/bundle/jruby/1.9/gems/march_hare-2.15.0-java/lib/march_hare/session.rb:467)", "RUBY.new_connection_impl(/opt/logstash/vendor/bundle/jruby/1.9/gems/march_hare-2.15.0-java/lib/march_hare/session.rb:500)", "RUBY.initialize(/opt/logstash/vendor/bundle/jruby/1.9/gems/march_hare-2.15.0-java/lib/march_hare/session.rb:136)", "RUBY.connect(/opt/logstash/vendor/bundle/jruby/1.9/gems/march_hare-2.15.0-java/lib/march_hare/session.rb:109)", "RUBY.connect(/opt/logstash/vendor/bundle/jruby/1.9/gems/march_hare-2.15.0-java/lib/march_hare.rb:20)", "RUBY.connect(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-mixin-rabbitmq_connection-4.1.1-java/lib/logstash/plugin_mixins/rabbitmq_connection.rb:174)", "RUBY.connect!(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-mixin-rabbitmq_connection-4.1.1-java/lib/logstash/plugin_mixins/rabbitmq_connection.rb:131)", "RUBY.register(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-rabbitmq-3.1.0-java/lib/logstash/outputs/rabbitmq.rb:40)", "RUBY.register(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/output_delegator.rb:75)", "RUBY.start_workers(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:181)", "org.jruby.RubyArray.each(org/jruby/RubyArray.java:1613)", "RUBY.start_workers(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:181)", "RUBY.run(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:136)", "RUBY.start_pipeline(/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/agent.rb:473)", "java.lang.Thread.run(java/lang/Thread.java:745)"], :level=>:error}
{:timestamp=>"2017-12-26T07:22:35.710000+0000", :message=>"stopping pipeline", :id=>"main"}
This is the error I am getting in RabbitMQ logs.
=INFO REPORT==== 27-Dec-2017::05:44:27 ===
accepting AMQP connection <0.1228.0> (10.2.0.0:42187 -> 10.24.168.17:5601)
=WARNING REPORT==== 27-Dec-2017::05:44:35 ===
closing AMQP connection <0.1228.0> (10.2.0.0:42187 -> 10.24.168.17:5601):
client unexpectedly closed TCP connection
This is RabbitMQ conf
% This file managed by Puppet
% Template Path: rabbitmq/templates/rabbitmq.config
[
{rabbit, [
{cluster_nodes, {[rabbit#node01, rabbitmq#node02, rabbit#node03], disc}},
{cluster_partition_handling, ignore},
{tcp_listen_options,
[binary,
{packet, raw},
{reuseaddr, true},
{backlog, 128},
{nodelay, true},
{exit_on_close, false}]
},
{default_user, <<"admin">>},
{default_pass, <<"passowrd">>},
{handshake_timeout, 60000},
{tcp_listeners, []},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl_cert/testca/cacert.pem"},
{certfile,"/etc/rabbitmq/ssl_cert/server/cert.pem"},
{keyfile,"/etc/rabbitmq/ssl_cert/server/key.pem"},
{password, "Password"},
{verify,verify_peer},
{versions, ['tlsv1.2']},
{fail_if_no_peer_cert,false}]},
{ssl_handshake_timeout, 5000}
{log_levels, [{autocluster, debug}, {connection, info}]}
]},
{kernel, [
]},
{rabbitmq_management, [
{listener, [
{port, 15672}
]}
]}
].
% EOF
I have even changed the SSL listener port to 5601 and tried just to make sure that this is not port conflict. I am hitting the wall everytime here.
There was a mismatch in hostname. I have resolved it by proving an FQDN in the /etc/hosts file. SSL is working fine now.
Related
I am trying to set up a RabbitMQ server with mqtt and amqp connections.
I have opened mqtt tcp connection on port 1883 and mqtt ssl connection on port 8883. TLS and SSL listners are successfully opened as the log. I am using mqttBox as the client and I can successfully connect to port 1883 using tcp. But I am unable to connect to port 8883 using TLS/SSL.
Here is my config file.
[
{rabbit,
[
{tcp_listeners, [{"127.0.0.1", 5672}, {"::1", 5672}]},
{default_vhost, <<"/">>},
{default_user, <<"user">>},
{default_pass, <<"bitnami">>},
{default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
{ssl_options, [{cacertfile, "/opt/bitnami/rabbitmq/tls/result/ca_certificate.pem"},
{certfile, "/opt/bitnami/rabbitmq/tls/result/server_certificate.pem"},
{keyfile, "/opt/bitnami/rabbitmq/tls/result/server_key.pem"},
%% {password,""},
{verify, verify_peer},
{fail_if_no_peer_cert, true}]}
%% {ssl_listeners, [5671]}
]
},
{kernel, []},
{rabbitmq_management,
[
{listener, [{port, 15672}, {ip, "0.0.0.0"}]}
]
},
{rabbitmq_shovel,
[
{shovels, []}
]
},
{rabbitmq_stomp, []},
{rabbitmq_mqtt, [{ssl_cert_login, true}, {allow_anonymous, false} ,
{ssl_listeners, [8883]}, {tcp_listeners, [1883]}]},
{rabbitmq_amqp1_0, []},
{rabbitmq_auth_backend_ldap, []},
{rabbit, [{vm_memory_high_watermark, 0.6}]
}
].
And my log file.
started MQTT TCP Listener on [::]:1883
started MQTT SSL Listener on [::]:8883
started TCP Listener on [::]:5672
started SSL Listener on [::]:5671
<0.13639.4> MQTT vhost picked using plugin configuration or default
TCP connection successful
<0.13639.4> accepting MQTT connection <0.13639.4> (123.231.123.82:54601 -> 10.128.0.5:1883)
TLS connection failed
<0.13639.4> MQTT detected network error for "123.231.123.82:54601 -> 10.128.0.5:1883": peer closed TCP connection
It seems both tcp and tls requests are headed to 10.128.0.5:1883.
How can I fix this?
edit: client configurations:
With the following parameters I get the Predis ServerException MOVED 16353 x.x.x.x:6379. The amazon Elasticache for redis has cluster mode enabled and 2 nodes. Can anyone advise on the correct configuration for this?
'redis' => [
'cluster' => true,
'default' => [
'host' => 'xxx.cache.amazonaws.com',
'port' => 6379,
'database' => 0,
],
],
I'm going through the process of setting up RabbitMQ with LDAP authorization but am not having much luck... Could someone in the know, please take a look and tell me what I'm doing wrong? I'm able to query LDAP to get the user object with the following code:
var entry = new DirectoryEntry("LDAP://ourldapbox.ourcompany.co.uk:636/CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk");
Config Attempt 1
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{user_dn_pattern, "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
Config Attempt 2
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "DC=ourcompany,DC=co,DC=uk"},
{user_dn_pattern, "${username}#ourcompany.co.uk"},
{other_bind, anon},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
Config Attempt 3
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "dc=ourcompany,dc=co,dc=uk"},
{user_dn_pattern, "${username}#ourcompany.co.uk"},
{use_ssl, false},
{port, 636},
{log, true}
]
}
].
Connection Code
I'm attempting to connect in a number of ways (all failing):
var connectionFactory = new ConnectionFactory
{
HostName = "localhost",
UserName = "twainm",
Password = "fred123",
};
using (connectionFactory.CreateConnection())
{
// fails with:
// None of the specified endpoints were reachable
// ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
}
The internal database fallback configuration is working, so guest is able to connect without issue.
Logs
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
accepting AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672)
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
[{username,<<"Mark Twain">>}]
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP CHECK: login for Mark Twain
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP filling template "CN=${username},OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk" with
[{username,<<"Mark Twain">>}]
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP template result: "CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk"
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
closed}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP bind error: CN=Mark Twain,OU=Development,OU=OurCompany Employees,DC=OurCompany,DC=co,DC=uk {gen_tcp_error,
closed}
=INFO REPORT==== 18-Feb-2015::10:38:13 ===
LDAP DECISION: login for Mark Twain: {error,{gen_tcp_error,closed}}
=ERROR REPORT==== 18-Feb-2015::10:38:16 ===
closing AMQP connection <0.1122.0> ([::1]:20117 -> [::1]:5672):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'Mark Twain' - invalid credentials",
'connection.start_ok'}}
I've had a good Google for "LDAP bind error", "handshake_error,starting,0" and "access_refused" but can't find anything that could point me in the right direction.
Any help would be appreciated.
Solved! I realised that the combination of use_ssl=false and port=636 was a bit stupid because 636 is the encrypted (i.e. SSL LDAP) port.
Here's my LDAP configuration (now working). I hope this saves a few people a few hours:
[
{rabbit,
[ {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ourldapbox.ourcompany.co.uk"]},
{dn_lookup_attribute, "sAMAccountName"},
{dn_lookup_base, "DC=ourcompany,DC=co,DC=uk"},
{user_dn_pattern, "${username}#ourcompany.co.uk"},
{use_ssl, true},
{port, 636},
{log, true}
]
}
].
I had a similar problem, except I was using the rabbitmq.conf instead of the advanced.config format. Here is an alternate solution if anyone is having this issue and using the other config format:
auth_backends.1 = ldap
auth_ldap.servers.1 = ourldapbox.ourcompany.co.uk
auth_ldap.dn_lookup_attribute = sAMAccountName
auth_ldap.dn_lookup_base = DC=ourcompany,DC=co,DC=uk
auth_ldap.user_dn_pattern = ${username}#ourcompany.co.uk
auth_ldap.use_ssl = true
auth_ldap.port = 636
auth_ldap.log = true
auth_backends.2 = rabbit_auth_backend_internal
I am trying to setup a rabbitmq cluster with puppet. I have nodeA that initiates the cluster and all other nodes should join nodeA's cluster using nodeA's hostname.
All other nodes execute the following code.
class { 'rabbitmq':
service_manage => false,
port => '5672',
delete_guest_user => true,
erlang_cookie => $erlang_hash,
config_cluster => true,
cluster_nodes => ['nodeA'],
cluster_node_type => 'ram',
wipe_db_on_cookie_change => true,
}
Nodes executing this puppet code can ping nodeA and puppet generates the following config file,
% This file managed by Puppet
% Template Path: rabbitmq/templates/rabbitmq.config
[
{rabbit, [
{cluster_nodes, {['rabbit#nodeA'], ram}},
{cluster_partition_handling, ignore},
{default_user, <<"guest">>},
{default_pass, <<"guest">>}
]}
].
% EOF
nodeA is a disc node and the node trying to join nodeA's cluster is a ram node.
Unfortunately a node executing my puppet code doesn't join nodeA's cluster.
I have configured the RabbitMQ rabbitmq.config file with new port number i.e. 5671 with SSL.
Now I want to disable the default port i.e. 5672.
Config file as below :-
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/cacert.pem"},
{certfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/cert.pem"},
{keyfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{ciphers,[{dhe_rsa,aes_256_cbc,sha},
{dhe_dss,aes_256_cbc,sha},
{rsa,aes_256_cbc,sha}]}
]
}
]}
].
Now its working on both port 5671 and 5672.But I need to disable the port 5672.
Give some comments or suggestion.
Thanks in advance.
To disable standart RabbitMQ 5672 port add {tcp_listeners, []} to your rabbitmq.conf:
[
{rabbit, [
{tcp_listeners, []},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/cacert.pem"},
{certfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/cert.pem"},
{keyfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{ciphers,[{dhe_rsa,aes_256_cbc,sha},
{dhe_dss,aes_256_cbc,sha},
{rsa,aes_256_cbc,sha}]}
]
}
]}
].
It works with RabbitMQ 3.1.5
Here's how to do it with the new configuration file format introduced in RabbitMQ 3.7:
Set up the SSL listener in rabbitmq.conf:
listeners.ssl.1 = 5671
ssl_options.cacertfile = /path/to/testca/cacert.pem
ssl_options.certfile = /path/to/server/cert.pem
ssl_options.keyfile = /path/to/server/key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
Disable the non-SSL listener in advanced.config:
[
{rabbit,
[{tcp_listeners, []}
]}
].
It appears that to disable non-ssl listening with the new file format, you can do the following:
listeners.tcp = none
This has the same effect as the other 3.7 answer, but removes the need to do it in the advanced.config.