Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't reconfigure mqtts listener #349

Open
maelp opened this issue Feb 23, 2023 · 57 comments
Open

Can't reconfigure mqtts listener #349

maelp opened this issue Feb 23, 2023 · 57 comments

Comments

@maelp
Copy link

maelp commented Feb 23, 2023

Hi, I'm trying to set up a mqtts listener, I've added the mqtts.enabled=true in the values, as well as the secretMount with the certificates (it seemed that it didn't work by adding directly the "certificates.{certs,ca,key}" as documented in the README), and when I look at logs I see this:

16:56:01.241 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.458.0>}

and trying to send data on MQTT on port 8883 fails with an error (although it works fine for 1883)

is there something I should configure?

@maelp
Copy link
Author

maelp commented Feb 23, 2023

When connecting with hivemq mqtt-cli I get this log

Restriction request problem information was set but is unused in MQTT Version MQTT_3_1_1
Client 'mqttYzjx5zmo@someurl.example.com' sending CONNECT MqttConnect{keepAlive=60, cleanSession=true, restrictions=MqttConnectRestrictions{receiveMaximum=65535, sendMaximum=65535, maximumPacketSize=268435460, sendMaximumPacketSize=268435460, topicAliasMaximum=0, sendTopicAliasMaximum=16, requestProblemInformation=true, requestResponseInformation=false}}
Client 'mqttYzjx5zmo@someurl.example.com' DISCONNECTED null: com.hivemq.client.mqtt.exceptions.ConnectionFailedException: java.nio.channels.ClosedChannelException
Caused by: java.nio.channels.ClosedChannelException
	at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1065)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262)

@maelp
Copy link
Author

maelp commented Feb 23, 2023

I checked that the certificates are correct, and the 8883 port is correctly opened, so I guess the error is from the configuration?

Here is the config:

import pulumi
from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
from pulumi_kubernetes.core.v1 import Namespace, Secret
from pulumi_kubernetes.helm.v3 import Chart, ChartOpts
from .env import k8s_provider


# Install the vernemq controller on the cluster
chart_ns = Namespace("vernemq", metadata=ObjectMetaArgs(name="vernemq"))
certificates_secret = Secret(
    "vernemq-certificates-secret",
    metadata=ObjectMetaArgs(
        name="vernemq-certificates-secret", namespace=chart_ns.metadata.name
    ),
    string_data={
        "tls.crt": open(
            "secrets-data/staging/certs/gsc/gsc.crt", "r", encoding="utf-8"
        ).read(),
        "tls.key": open(
            "secrets-data/staging/certs/gsc/private.pem", "r", encoding="utf-8"
        ).read(),
        "ca.crt": open(
            "secrets-data/staging/certs/rk/root.crt", "r", encoding="utf-8"
        ).read(),
    },
)
chart = Chart(
    "vernemq",
    config=ChartOpts(
        fetch_opts={"repo": "https://vernemq.github.io/docker-vernemq"},
        chart="vernemq",
        version="1.8.1",
        namespace=chart_ns.metadata.name,
        values={
            "additionalEnv": [
                {"name": "DOCKER_VERNEMQ_ACCEPT_EULA", "value": "yes"},
                {"name": "DOCKER_VERNEMQ_ALLOW_ANONYMOUS", "value": "on"},
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__CAFILE",
                    "value": "/etc/ssl/vernemq/ca.crt",
                },
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE",
                    "value": "/etc/ssl/vernemq/tls.crt",
                },
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE",
                    "value": "/etc/ssl/vernemq/tls.key",
                },
            ],
            "persistentVolume": {
                "enabled": "true",
                "size": "5Gi",
                # "storageClass": "..."
            },
            "service": {
                "mqtt": {"enabled": "true", "port": "1883"},
                "mqtts": {"enabled": "true", "port": "8883"},
            },
            "secretMounts": [
                {
                    "name": "vernemq-certificates",
                    "secretName": "vernemq-certificates-secret",
                    "path": "/etc/ssl/vernemq",
                }
            ],
        },
    ),
    opts=pulumi.ResourceOptions(
        provider=k8s_provider, depends_on=[chart_ns, certificates_secret]
    ),
)

@ioolkos
Copy link
Contributor

ioolkos commented Feb 23, 2023

@maelp there's currently a minor issue coming from configuring default listeners in the release package. Will be fixed in next release.
Disable as much default listeners configs as you can. Then set the MQTTS listener like the one below.

listener.ssl.default=0.0.0.0:8883
listener.ssl.default.keyfile=/etc/ssl/vernemq/tls.key
listener.ssl.default.cafile=/etc/ssl/vernemq/ca.crt
listener.ssl.default.certfile=/etc/ssl/vernemq/tls.crt

if the reconfigure error bothers you, try setting an MQTT default listener too

listener.tcp.default = 127.0.0.1:1883

To arrive at those, you have to translate to the ENV variable format here.

I'll look at that client side error later, maybe related to allowed protocol version?


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 23, 2023

(the error seems to be that the server closes the socket when trying to do a SSL connection)

@maelp
Copy link
Author

maelp commented Feb 23, 2023

I'm using a client which handles MQTT 3,4,5 I think (hive mqtt-cli), I'm not sure what version the VerneMQ server is handling, is that configurable?

@codeadict
Copy link
Contributor

I have seen this error @ioolkos , might be fixed on my currently open PR in VerneMQ but we have to double check

@maelp
Copy link
Author

maelp commented Feb 23, 2023

@ioolkos I tried adding the variables you sent above, now I have those logs

17:26:37.432 [error] can't reconfigure mqtt listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{proxy_protocol,false},{allowed_protocol_versions,[3,4,5,131]},{allow_anonymous_override,false}] due to {already_started,<0.435.0>}
17:26:37.514 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.435.0>}

@maelp
Copy link
Author

maelp commented Feb 23, 2023

Here's what I added

                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT",
                    "value": "0.0.0.0:8883",
                },
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__TCP__DEFAULT",
                    "value": "127.0.0.1:1883",
                },

@maelp
Copy link
Author

maelp commented Feb 23, 2023

But for now it seems I can't connect to VerneMQ with SSL, but perhaps I can do it using a Nginx in front, but this defeats the purpose of using VerneMQ TLS setting which can be convenient (to auto-set the user with the CommonName)

@codeadict
Copy link
Contributor

codeadict commented Feb 23, 2023

I'll do some testing on the branch I've opened with these settings. What does vmq-admin listener show is telling you @maelp ?

@ioolkos
Copy link
Contributor

ioolkos commented Feb 23, 2023

@maelp MQTT protocol versions can be allowed per listener.

listener.ssl.default.allowed_protocol_versions = 3,4,5

Terminating TLS in HAProxy or similar component is often done, yes. Of course, Verne can also terminate TLS without problems; so we'll find out what's happing here.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 23, 2023

@codeadict this is the result

+--------+---------+-----------+-------+------------+-----------+
| type   | status  | ip        | port  | mountpoint | max_conns |
+--------+---------+-----------+-------+------------+-----------+
| http   | running | 127.0.0.1 | 8888  |            | 10000     |
+--------+---------+-----------+-------+------------+-----------+
| http   | running | 10.4.0.8  | 8888  |            | 10000     |
+--------+---------+-----------+-------+------------+-----------+
| vmq    | running | 10.4.0.8  | 44053 |            | 10000     |
+--------+---------+-----------+-------+------------+-----------+
| mqttws | running | 10.4.0.8  | 8080  |            | 10000     |
+--------+---------+-----------+-------+------------+-----------+
| mqtt   | running | 127.0.0.1 | 1883  |            | 10000     |
+--------+---------+-----------+-------+------------+-----------+
| mqtt   | running | 10.4.0.8  | 1883  |            | 10000     |
+--------+---------+-----------+-------+------------+-----------+

@maelp
Copy link
Author

maelp commented Feb 23, 2023

(weird that there's no mqtts, is that because of the error above?)

@maelp
Copy link
Author

maelp commented Feb 23, 2023

also not sure why there is mqttws although I haven't enabled it?

@maelp
Copy link
Author

maelp commented Feb 24, 2023

If this helps, when I set the log level to debug, I have a lot of these:

08:47:33.345 [debug] Replica meta1: Can't initialize AE exchange due to no peer available
08:47:33.429 [debug] Replica meta9: Can't initialize AE exchange due to no peer available
08:47:33.618 [debug] Replica meta4: Can't initialize AE exchange due to no peer available
08:47:34.507 [debug] Replica meta3: Can't initialize AE exchange due to no peer available
08:47:34.689 [debug] Replica meta8: Can't initialize AE exchange due to no peer available
08:47:34.755 [debug] Replica meta5: Can't initialize AE exchange due to no peer available
08:47:35.127 [debug] Replica meta6: Can't initialize AE exchange due to no peer available
08:47:35.155 [debug] Replica meta10: Can't initialize AE exchange due to no peer available
08:47:35.267 [debug] Replica meta7: Can't initialize AE exchange due to no peer available

@maelp
Copy link
Author

maelp commented Feb 24, 2023

@ioolkos @codeadict when I disable "mqtt" and only enable "mqtts" in the config, I still have the "can't reconfigure mqtts" error

08:54:06.132 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.458.0>}

but then each time I try to connect with SSL I now have this (before I didn't even have a log) and the connection still closes:

09:04:43.371 [warning] session stopped abnormally due to '{cant_parse_connect_fixed_header,<<22,3,3,0,240,1,0,0,236,3,3,114,105,135,159,176,108,221,9,230,83,91,123,59,137,214,40,86,81,117,114,74,34,165,44,40,75,196,182,67,195,180,244,0,0,18,192,44,192,43,192,47,192,48,192,19,192,20,0,156,0,47,0,53,1,0,0,177,0,0,0,25,0,23,0,0,20,119,101,98,45,97,112,112,45,49,46,103,111,117,97,99,104,46,99,111,109,0,5,0,5,1,0,0,0,0,0,10,0,12,0,10,0,29,0,23,0,24,0,25,0,30,0,11,0,2,1,0,0,13,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,50,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,0,0,43,0,3,2,3,3,255,1,0,1,0>>}'

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

@maelp the AE exchange logs above are unrelated and harmless (coming from the sync protocol).

There are other users having troubles with MQTTS listeners in the Docker image, apparently: https://erlangforums.com/t/latest-vernemq-not-allowing-tls-traffic-with-self-signed-ca-certificate/2394
I'll need to check that.

Have you enabled listener.ssl.default.allowed_protocol_versions = 3,4,5?

@maelp
Copy link
Author

maelp commented Feb 24, 2023

@ioolkos I added this, but same error

                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__ALLOWED_PROTOCOL_VERSIONS",
                    "value": "3,4,5",
                },

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

Btw, the WS listener comes from the fact that we seem to start one via start script, in case the DOCKER_VERNEMQ variable is not set.

if [ -z "$DOCKER_VERNEMQ_LISTENER__WS__DEFAULT" ]; then

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

Can you check on the Pod, what the exact config injected into etc/vernemq/vernemq.conf is and post here?
All values injected are at the end of the conf file between ###START### and ###END###.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 24, 2023

@ioolkos this is what I get

########## Start ##########
listener.ssl.use_identity_as_username=on
listener.ssl.allowed_protocol_versions=3,4,5
accept_eula=yes
listener.tcp.default=127.0.0.1:1883
listener.ssl.default=0.0.0.0:8883
listener.ssl.require_certificate=on
listener.ssl.keyfile=/etc/ssl/vernemq/tls.key
listener.ssl.cafile=/etc/ssl/vernemq/ca.crt
log.console=console
listener.tcp.localhost=127.0.0.1:1883
allow_anonymous=on
listener.ssl.certfile=/etc/ssl/vernemq/tls.crt
erlang.distribution.port_range.minimum = 9100
erlang.distribution.port_range.maximum = 9109
listener.ws.default = 10.4.0.13:8080
listener.vmq.clustering = 10.4.0.13:44053
listener.http.metrics = 10.4.0.13:8888
########## End ##########

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

Can you also add:
listener.ssl.default.depth = 10 to ensure we're not limited by chain length.

You could also attach to VerneMQ in the Pod by using vernemq attach.
And then get info with something similar to:

rp(ranch:info({{127,0,0,1},8883})). (hit Enter)

Detach from Verne with ctrl+g, then q.

I'm currently unclear whether you manage to setup an SSL listener or not. (check with vmq-admin listener show)


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 24, 2023

Adding the default depth of 10 did not change anything

for the command: if I include the final . (not sure if that was intended), I get the following error:

if I don't include it, I get an empty response

(VerneMQ@vernemq-0.vernemq-headless.vernemq.svc.cluster.local)1> rp(ranch:info({{127,0,0,1},8883})).
** exception error: bad argument
     in function  ets:lookup_element/3
        called as ets:lookup_element(ranch_server,{listener_sup,{{127,0,0,1},8883}},2)
        *** argument 2: not a key that exists in the table
     in call from ranch_server:get_listener_sup/1 (/opt/vernemq/_build/default/lib/ranch/src/ranch_server.erl, line 122)
     in call from ranch:info/1 (/opt/vernemq/_build/default/lib/ranch/src/ranch.erl, line 434)
(VerneMQ@vernemq-0.vernemq-headless.vernemq.svc.cluster.local)2> rp(ranch:info({{127,0,0,1},8883}))
(VerneMQ@vernemq-0.vernemq-headless.vernemq.svc.cluster.local)2>

@maelp
Copy link
Author

maelp commented Feb 24, 2023

If I do it with "1883" instead of "8883" I get this

(VerneMQ@vernemq-0.vernemq-headless.vernemq.svc.cluster.local)2> rp(ranch:info({{127,0,0,1},1883})).
#{active_connections => 0,all_connections => 0,
  ip => {127,0,0,1},
  max_connections => 10000,
  metrics =>
      #{{conns_sup,1,accept} => 0,
        {conns_sup,1,terminate} => 0,
        {conns_sup,2,accept} => 0,
        {conns_sup,2,terminate} => 0,
        {conns_sup,3,accept} => 0,
        {conns_sup,3,terminate} => 0,
        {conns_sup,4,accept} => 0,
        {conns_sup,4,terminate} => 0,
        {conns_sup,5,accept} => 0,
        {conns_sup,5,terminate} => 0,
        {conns_sup,6,accept} => 0,
        {conns_sup,6,terminate} => 0,
        {conns_sup,7,accept} => 0,
        {conns_sup,7,terminate} => 0,
        {conns_sup,8,accept} => 0,
        {conns_sup,8,terminate} => 0,
        {conns_sup,9,accept} => 0,
        {conns_sup,9,terminate} => 0,
        {conns_sup,10,accept} => 0,
        {conns_sup,10,terminate} => 0},
  pid => <0.458.0>,port => 1883,protocol => vmq_ranch,
  protocol_options =>
      [{mountpoint,[]},
       {allowed_protocol_versions,[3,4,5,131]},
       {allow_anonymous_override,false},
       {buffer_sizes,undefined}],
  status => running,transport => ranch_tcp,
  transport_options =>
      #{max_connections => 10000,num_acceptors => 10,
        socket_opts =>
            [{ip,{127,0,0,1}},
             {port,1883},
             {nodelay,true},
             {linger,{true,0}},
             {send_timeout,30000},
             {send_timeout_close,true}]}}
ok

so I guess for some reason the mqtts handler is not launched, although I think I configured everything? is that related to the error above where it complains that it cannot reconfigure the listener (not sure why it tries to reconfigure the mqtts listener on 1883 instead of 8883?)

@maelp
Copy link
Author

maelp commented Feb 24, 2023

It seems though that the 8883 port is correctly opened (and correctly proxied-through by the ingress-nginx TCP proxy in front), because when I try to make a MQTTS request on 8883 I get this log to appear on the service logs

14:29:10.285 [warning] session stopped abnormally due to '{cant_parse_connect_fixed_header,<<22,3,3,0,240,1,0,0,236,3,3,95,237,223,125,180,210,123,10,168,11,41,16,254,209,7,51,234,66,84,195,188,130,8,2,82,22,116,40,207,75,203,201,0,0,18,192,44,192,43,192,47,192,48,192,19,192,20,0,156,0,47,0,53,1,0,0,177,0,0,0,25,0,23,0,0,20,119,101,98,45,97,112,112,45,49,46,103,111,117,97,99,104,46,99,111,109,0,5,0,5,1,0,0,0,0,0,10,0,12,0,10,0,29,0,23,0,24,0,25,0,30,0,11,0,2,1,0,0,13,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,50,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,0,0,43,0,3,2,3,3,255,1,0,1,0>>}'

@maelp
Copy link
Author

maelp commented Feb 24, 2023

and if I try to send a non-SSL MQTT message on port 8883 (to try), I don't see a log on the server, and the socket is closed immediately

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

Yeah, it's weird. Can you add the TLS listener not with 0.0.0.0 but that actual internal IP like the other listeners?
You can add as many TLS listeners on different ports as you want... that 1883 reconfigure thing should not matter here.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 24, 2023

I'm not sure how to do this, since I guess with Kubernetes each time I deploy I might be on a different node IP no?

@maelp
Copy link
Author

maelp commented Feb 24, 2023

for the "1883 reconfigure", the thing which surprises me is that it says both "mqtts" and "1883". Shouldn't it be "8883" that it tries to reconfigure for mqtts?

@codeadict
Copy link
Contributor

codeadict commented Feb 24, 2023

The bug with the default listener should be fixed in my branch vernemq/vernemq#2078, if you can build Docker pointing to that it would be great. Although I believe there is still some bug that might have been caused by our latest ranch upgrade, I'm still researching the changes in ranch. But this is what I see:

^C%
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener stop address="127.0.0.1" port=8883
Done
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener show
+-------+---------+-----------+-------+------------+-----------+
| type  | status  | address   | port  | mountpoint | max_conns |
+-------+---------+-----------+-------+------------+-----------+
| http  | running | 127.0.0.1 | 8888  |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
| vmq   | running | 0.0.0.0   | 44053 |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
| mqtts | stopped | 127.0.0.1 | 8883  |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
| mqtt  | running | 127.0.0.1 | 1883  |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener start address="127.0.0.1" port=8883
can't start listener due to '{already_started,<0.20463.0>}'
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener show
+-------+---------+-----------+-------+------------+-----------+
| type  | status  | address   | port  | mountpoint | max_conns |
+-------+---------+-----------+-------+------------+-----------+
| http  | running | 127.0.0.1 | 8888  |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
| vmq   | running | 0.0.0.0   | 44053 |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
| mqtts | stopped | 127.0.0.1 | 8883  |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+
| mqtt  | running | 127.0.0.1 | 1883  |            | 10000     |
+-------+---------+-----------+-------+------------+-----------+

Notice when I try to start the listener again, it believes it's already started and remains stopped.

@maelp
Copy link
Author

maelp commented Feb 24, 2023

I don't have a build script for the repo now, do you think you will publish an update soon of the package if this fixes the bug?

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

@codeadict start and restart in vmq-admin listener have different purposes. Does restart work for you?

What I do not understand in the open issue, is why we do not see a MQTTS listener running at all on 8883. (using vmq-admin listener show)
@maelp to me it looks like the service port is running but not the internal targetport (which is the MQTTS listener).

Maybe you can configure a different port for your MQTTS listener and targetport to decouple things from that 1883/8883 question.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 24, 2023

So you mean I should configure VerneMQ to listen to eg 8884? And have my ingress-nginx do the 8883 -> 8884?

@maelp
Copy link
Author

maelp commented Feb 24, 2023

@ioolkos could the issue come from the Helm template?

@ioolkos
Copy link
Contributor

ioolkos commented Feb 24, 2023

Yeah, that's what I meant.
Helm templates, yes, could also be. Or that secretCert mounts thing. Or maybe special Pulumi magic?
We'll find out :)
Apologies for the friction. Some days Kubernetes just hates us...


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 24, 2023

🤣 yes kubernetes is sometimes a bit complicated

I'll try changing the port.

The secretCert mount seems to be working, because before I did it a different way (like mentioned in your documentation, I was using the certificates.{cert,key,ca} options in values.yamlwhich are perhaps deprecated?) and it wasn't working, there was an error log, which has now disappeared when using the secretMount way of adding certificates

@maelp
Copy link
Author

maelp commented Feb 24, 2023

I doubt it's due to Pulumi, the only thing Pulumi does is translating some DSL to actual yaml files for Kubernetes and applying them

@maelp
Copy link
Author

maelp commented Feb 24, 2023

Although this file seems to be handling the certificates config, so not sure why it wasn't working? https://github.com/vernemq/docker-vernemq/blob/master/helm/vernemq/templates/certificate-secret.yaml

@maelp
Copy link
Author

maelp commented Feb 24, 2023

changing the port to 8884 doesn't change the issue

@maelp
Copy link
Author

maelp commented Feb 24, 2023

For the "certificates" variables issue, could it be because in the certicicates-secret template there is a "$root" which is not in the statefulset file?

certificate-secret:
image

statefulset:
image

@ioolkos
Copy link
Contributor

ioolkos commented Feb 26, 2023

There seems to be an issue in the Docker images for 1.12.6.1 and 1.12.6.2. The issue is not present in the images for 1.12.3 (the previous official release).

The issue does not seem to be in the Linux packages.

In the 1.12.3 Pod, you can even test a connection from within a VerneMQ shell to its own TLS port:

Eshell V11.2.1  (abort with ^G)
(VerneMQ@maverne-vernemq-0.maverne-vernemq-headless.default.svc.cluster.local)1> {ok, S} = ssl:connect("localhost", 8884, [{cacerts, "/etc/ssl/vernemq/ca.crt"}, {verify, verify_none}]).
{ok,{sslsocket,{gen_tcp,#Port<0.24>,tls_connection,
                        undefined},
               [<0.626.0>,<0.625.0>]}}

This will get {error, close} on 1.12.6.2.

Nothing logged in the Verne log, this is a bummer. Investigating. This seems not related to configuration issues. (maybe OpenSSL version?)


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@ioolkos
Copy link
Contributor

ioolkos commented Feb 26, 2023

I think I found the issue. I traced the SSL statemachine and when a connection comes in it gets an enoent error for the ca.crt file.
The reason for this is that it links to ..data/ca.crt from /etc/ssl/vernemq/. It only seems to happen for the ca.crt file.

vernemq@maverne-vernemq-0:~$ ls -al /etc/ssl/vernemq/
total 4
drwxrwsrwt 3 root vernemq  140 Feb 26 20:05 .
drwxr-xr-x 1 root root    4096 Feb 26 20:05 ..
drwxr-sr-x 2 root vernemq  100 Feb 26 20:05 ..2023_02_26_20_05_39.2948119764
lrwxrwxrwx 1 root vernemq   32 Feb 26 20:05 ..data -> ..2023_02_26_20_05_39.2948119764
lrwxrwxrwx 1 root vernemq   13 Feb 26 20:05 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root vernemq   14 Feb 26 20:05 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root vernemq   14 Feb 26 20:05 tls.key -> ..data/tls.key

Now, I can manually do a mkdir ..data and copy ca.crt there, and voilà, the TLS connection is accepted.
Of course, this might be specific to how I set up the certificates (using the secret mount method), so your picture might vary.

But exec into the pod and do a ls -al /etc/ssl/vernemq/
Hopefully we can find a configuration based fix for this.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 26, 2023

I get this indeed:

bash-5.1$ ls -al /etc/ssl/vernemq/
total 4
drwxrwsrwt    3 root     vernemq        140 Feb 24 18:02 .
drwxr-xr-x    1 root     root          4096 Feb 24 18:02 ..
drwxr-sr-x    2 root     vernemq        100 Feb 24 18:02 ..2023_02_24_18_02_56.1832396605
lrwxrwxrwx    1 root     vernemq         32 Feb 24 18:02 ..data -> ..2023_02_24_18_02_56.1832396605
lrwxrwxrwx    1 root     vernemq         13 Feb 24 18:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     vernemq         14 Feb 24 18:02 tls.crt -> ..data/tls.crt
lrwxrwxrwx    1 root     vernemq         14 Feb 24 18:02 tls.key -> ..data/tls.key

@ioolkos
Copy link
Contributor

ioolkos commented Feb 26, 2023

1.12.3 has the same links, though.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@ioolkos
Copy link
Contributor

ioolkos commented Feb 27, 2023

I found an easy fix for this. Use the full linked path for the CAFILE in your values.yaml/ENV variables.

  - name: DOCKER_VERNEMQ_LISTENER__SSL__CAFILE
    value: "/etc/ssl/vernemq/..data/ca.crt"
  - name: DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE
    value: "/etc/ssl/vernemq/tls.crt"
  - name: DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE
    value: "/etc/ssl/vernemq/tls.key"

👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 27, 2023

It might also be interesting to add info / error logs in the pod if the certificates couldn't be loaded correctly, because for now there was no such logs

@maelp
Copy link
Author

maelp commented Feb 27, 2023

Setting the ENV variables explicitly does not seem to solve the issue on my Helm deployment

@maelp
Copy link
Author

maelp commented Feb 27, 2023

08:14:21.018 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/..data/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,true},{tls_version,'tlsv1.2'},{use_identity_as_username,true},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.460.0>}
08:16:23.322 [warning] session stopped abnormally due to '{cant_parse_connect_fixed_header,<<22,3,3,0,240,1,0,0,236,3,3,207,93,101,109,171,15,73,140,246,37,247,70,91,86,25,191,97,71,59,244,209,226,97,191,153,221,242,36,107,217,30,127,0,0,18,192,44,192,43,192,47,192,48,192,19,192,20,0,156,0,47,0,53,1,0,0,177,0,0,0,25,0,23,0,0,20,119,101,98,45,97,112,112,45,49,46,103,111,117,97,99,104,46,99,111,109,0,5,0,5,1,0,0,0,0,0,10,0,12,0,10,0,29,0,23,0,24,0,25,0,30,0,11,0,2,1,0,0,13,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,50,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,0,0,43,0,3,2,3,3,255,1,0,1,0>>}'

@maelp
Copy link
Author

maelp commented Feb 27, 2023

it seems to be due to the "cant_parse_connect_fixed_header", is there a way to debug this? Perhaps check whether the bytes do indeed correspond to some valid message?

@ioolkos
Copy link
Contributor

ioolkos commented Feb 27, 2023

Please add listener.ssl.allowed_protocol_versions = 3,4,5 to your config. You can also use a named version:
listener.ssl.default.allowed_protocol_versions = 3,4,5

Also, note that the can't reconfigure mqtts listener is NOT the central issue at hand here. The issue is that we have an MQTT listener running that runs into trouble loading the CA chain when an actual TLS connection comes in. The reconfigure error log will be fixed separately.

The CA issue is unfortunately not captured by the Verne boot validators. We have 3 simple validators on those cert files: file-exists, file-is-readable, and file-is-pem. They pass & the issue only shows in the Erlang SSL statemachine.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@ioolkos
Copy link
Contributor

ioolkos commented Feb 27, 2023

I guess the reason is that for a self-signed situation the client also needs your specific CAfile with the cert chain.
You probably also need to look into the question of hostname verification.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@maelp
Copy link
Author

maelp commented Feb 27, 2023

Okay, got it working, I'll document the minimal changes that are required

@maelp
Copy link
Author

maelp commented Feb 27, 2023

Seems to work with those options

                {"name": "DOCKER_VERNEMQ_ACCEPT_EULA", "value": "yes"},
                {"name": "DOCKER_VERNEMQ_ALLOW_ANONYMOUS", "value": "on"},
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__CAFILE",
                    "value": "/etc/ssl/vernemq/..data/ca.crt",
                },
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE",
                    "value": "/etc/ssl/vernemq/tls.crt",
                },
                {
                    "name": "DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE",
                    "value": "/etc/ssl/vernemq/tls.key",
                },

for some reason, it doesn't work if I don't set explictly DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE and DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE although their values are the same as the defaults?

@maelp
Copy link
Author

maelp commented Feb 27, 2023

Ugh, seems like an Heisenbug, I tried deleting the VerneMQ service and recreating it with the same options, and suddenly it no longer works

@ioolkos
Copy link
Contributor

ioolkos commented Feb 27, 2023

Verne only picks up the settings injected into etc/vernemq.conf in your pod. If in doubt, always look at the last lines in the file.
Yes, I think the SSL_KEYFILE and SSL_CERTFILE need to be set if you want to have an SSL listener.

Be aware that the additional method to configure certs that you see in the main branch was only added 3 weeks ago:

{{- if .Values.certificates }}


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

@ManuelMueller1st
Copy link

@maelp We are facing the same issue. Could you let me know if you managed to fix it?

@ioolkos
Copy link
Contributor

ioolkos commented Jul 10, 2023

@ManuelMueller1st the underlying cause in the packages was fixed but it seems with Helm it can still be an issue.

Please determine what listeners you want to have running.
Then determine which listeners are actually running after a start (vmq-admin listener show).

Then we can determine which listeners to start manually (by adding to ENV), and which listeners are started implicitly by the service definitions. Possibly we can also just solve it by the naming of the listeners.


👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants