Set CN to container DNS name

Related to https://github.com/docker-library/rabbitmq/pull/652 Give a TLS dist optfile a try Remove `fail_if_no_peer_cert` option for client. It does not seem to be supported by OTP 26 🤔
2023-06-28 07:17:48 -07:00 · 2023-06-28 07:17:48 -07:00 · e3a18575e3
parent 51c2cd07e4
commit e3a18575e3
3 changed files with 24 additions and 9 deletions
--- a/test/tests/rabbitmq-tls/inet-dist-tls.config
+++ b/test/tests/rabbitmq-tls/inet-dist-tls.config
@ -0,0 +1,17 @@
+[
+    {server, [
+        {cacertfile,"/certs/ca.crt"},
+        {certfile, "/certs/cert.crt"},
+        {keyfile, "/certs/private.key"},
+        {secure_renegotiate, true},
+        {verify, verify_peer},
+        {fail_if_no_peer_cert, true}
+    ]},
+    {client, [
+        {cacertfile,"/certs/ca.crt"},
+        {certfile, "/certs/cert.crt"},
+        {keyfile, "/certs/private.key"},
+        {secure_renegotiate, true},
+        {verify, verify_peer}
+    ]}
+].
--- a/test/tests/rabbitmq-tls/rabbitmq-env.conf
+++ b/test/tests/rabbitmq-tls/rabbitmq-env.conf
@ -3,13 +3,11 @@
 # https://www.rabbitmq.com/clustering-ssl.html
 ERL_SSL_PATH="$(erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell)"

-sslErlArgs="-pa $ERL_SSL_PATH 
-    -proto_dist inet_tls
-    -ssl_dist_opt server_certfile /certs/combined.pem
-    -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
+sslErlArgs="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inet-dist-tls.config"

 SERVER_ADDITIONAL_ERL_ARGS="$sslErlArgs"
 CTL_ERL_ARGS="$sslErlArgs"
+
 if [ -n "$ERLANG_COOKIE" ]; then
 	SERVER_ADDITIONAL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS -setcookie $ERLANG_COOKIE"
 	CTL_ERL_ARGS="$CTL_ERL_ARGS -setcookie $ERLANG_COOKIE"
--- a/test/tests/rabbitmq-tls/run.sh
+++ b/test/tests/rabbitmq-tls/run.sh
@ -1,9 +1,10 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail

+cname="rabbitmq-container-$RANDOM-$RANDOM"
 dir="$(dirname "$(readlink -f "$BASH_SOURCE")")"
-
 serverImage="$("$dir/../image-name.sh" librarytest/rabbitmq-tls-server "$1")"
+
 "$dir/../docker-build.sh" "$dir" "$serverImage" <<EOD
 FROM $1
 RUN set -eux; \
@ -13,10 +14,10 @@ RUN set -eux; \
 		-key /certs/ca-private.key \
 		-out /certs/ca.crt \
 		-days $(( 365 * 30 )) \
-		-subj '/CN=lolca'; \
+		-subj '/CN=$cname-CA'; \
 	openssl genrsa -out /certs/private.key 4096; \
 	openssl req -new -key /certs/private.key \
-		-out /certs/cert.csr -subj '/CN=lolcert'; \
+		-out /certs/cert.csr -subj '/CN=$cname'; \
 	openssl x509 -req -in /certs/cert.csr \
 		-CA /certs/ca.crt -CAkey /certs/ca-private.key -CAcreateserial \
 		-out /certs/cert.crt -days $(( 365 * 30 )); \
@ -25,7 +26,7 @@ RUN set -eux; \
 	chmod 0400 /certs/combined.pem; \
 	chown -R rabbitmq:rabbitmq /certs

-COPY --chown=rabbitmq:rabbitmq dir/*.conf /etc/rabbitmq/
+COPY --chown=rabbitmq:rabbitmq dir/*.conf* /etc/rabbitmq/
 EOD

 testImage="$("$dir/../image-name.sh" librarytest/rabbitmq-tls-test "$1")"
@ -44,7 +45,6 @@ EOD

 export ERLANG_COOKIE="rabbitmq-erlang-cookie-$RANDOM-$RANDOM"

-cname="rabbitmq-container-$RANDOM-$RANDOM"
 cid="$(docker run -d --name "$cname" --hostname "$cname" -e ERLANG_COOKIE "$serverImage")"
 trap "docker rm -vf $cid > /dev/null" EXIT