Set CN to container DNS name

Related to docker-library/rabbitmq#652 Give a TLS dist optfile a try Remove `fail_if_no_peer_cert` option for client. It does not seem to be supported by OTP 26 🤔
docker-library · Jul 19, 2023 · e3a1857 · e3a1857
1 parent 51c2cd0
commit e3a1857
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 9 deletions.
diff --git a/test/tests/rabbitmq-tls/inet-dist-tls.config b/test/tests/rabbitmq-tls/inet-dist-tls.config
@@ -0,0 +1,17 @@
+[
+ {server, [
+ {cacertfile,"/certs/ca.crt"},
+ {certfile, "/certs/cert.crt"},
+ {keyfile, "/certs/private.key"},
+ {secure_renegotiate, true},
+ {verify, verify_peer},
+ {fail_if_no_peer_cert, true}
+ ]},
+ {client, [
+ {cacertfile,"/certs/ca.crt"},
+ {certfile, "/certs/cert.crt"},
+ {keyfile, "/certs/private.key"},
+ {secure_renegotiate, true},
+ {verify, verify_peer}
+ ]}
+].
diff --git a/test/tests/rabbitmq-tls/rabbitmq-env.conf b/test/tests/rabbitmq-tls/rabbitmq-env.conf
@@ -3,13 +3,11 @@
 # https://www.rabbitmq.com/clustering-ssl.html
 ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)"
 
-sslErlArgs="-pa $ERL_SSL_PATH 
- -proto_dist inet_tls
- -ssl_dist_opt server_certfile /certs/combined.pem
- -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
+sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inet-dist-tls.config"
 
 SERVER_ADDITIONAL_ERL_ARGS="$sslErlArgs"
 CTL_ERL_ARGS="$sslErlArgs"
+
 if [ -n "$ERLANG_COOKIE" ]; then
  SERVER_ADDITIONAL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS -setcookie $ERLANG_COOKIE"
  CTL_ERL_ARGS="$CTL_ERL_ARGS -setcookie $ERLANG_COOKIE"

diff --git a/test/tests/rabbitmq-tls/run.sh b/test/tests/rabbitmq-tls/run.sh
@@ -1,9 +1,10 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
 
+cname="rabbitmq-container-$RANDOM-$RANDOM"
 dir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
-
 serverImage="$("$dir/../image-name.sh" librarytest/rabbitmq-tls-server "$1")"
+
 "$dir/../docker-build.sh" "$dir" "$serverImage" <<EOD
 FROM $1
 RUN set -eux; \
@@ -13,10 +14,10 @@ RUN set -eux; \
  -key /certs/ca-private.key \
  -out /certs/ca.crt \
  -days $(( 365 * 30 )) \
- -subj '/CN=lolca'; \
+ -subj '/CN=$cname-CA'; \
  openssl genrsa -out /certs/private.key 4096; \
  openssl req -new -key /certs/private.key \
- -out /certs/cert.csr -subj '/CN=lolcert'; \
+ -out /certs/cert.csr -subj '/CN=$cname'; \
  openssl x509 -req -in /certs/cert.csr \
  -CA /certs/ca.crt -CAkey /certs/ca-private.key -CAcreateserial \
  -out /certs/cert.crt -days $(( 365 * 30 )); \
@@ -25,7 +26,7 @@ RUN set -eux; \
  chmod 0400 /certs/combined.pem; \
  chown -R rabbitmq:rabbitmq /certs
 
-COPY --chown=rabbitmq:rabbitmq dir/*.conf /etc/rabbitmq/
+COPY --chown=rabbitmq:rabbitmq dir/*.conf* /etc/rabbitmq/
 EOD
 
 testImage="$("$dir/../image-name.sh" librarytest/rabbitmq-tls-test "$1")"
@@ -44,7 +45,6 @@ EOD
 
 export ERLANG_COOKIE="rabbitmq-erlang-cookie-$RANDOM-$RANDOM"
 
-cname="rabbitmq-container-$RANDOM-$RANDOM"
 cid="$(docker run -d --name "$cname" --hostname "$cname" -e ERLANG_COOKIE "$serverImage")"
 trap "docker rm -vf $cid > /dev/null" EXIT