Comments (57)
@ioolkos I tried adding the variables you sent above, now I have those logs
17:26:37.432 [error] can't reconfigure mqtt listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{proxy_protocol,false},{allowed_protocol_versions,[3,4,5,131]},{allow_anonymous_override,false}] due to {already_started,<0.435.0>}
17:26:37.514 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.435.0>}
from docker-vernemq.
08:14:21.018 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/..data/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,true},{tls_version,'tlsv1.2'},{use_identity_as_username,true},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.460.0>}
08:16:23.322 [warning] session stopped abnormally due to '{cant_parse_connect_fixed_header,<<22,3,3,0,240,1,0,0,236,3,3,207,93,101,109,171,15,73,140,246,37,247,70,91,86,25,191,97,71,59,244,209,226,97,191,153,221,242,36,107,217,30,127,0,0,18,192,44,192,43,192,47,192,48,192,19,192,20,0,156,0,47,0,53,1,0,0,177,0,0,0,25,0,23,0,0,20,119,101,98,45,97,112,112,45,49,46,103,111,117,97,99,104,46,99,111,109,0,5,0,5,1,0,0,0,0,0,10,0,12,0,10,0,29,0,23,0,24,0,25,0,30,0,11,0,2,1,0,0,13,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,50,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,0,0,43,0,3,2,3,3,255,1,0,1,0>>}'
from docker-vernemq.
Okay, got it working, I'll document the minimal changes that are required
from docker-vernemq.
When connecting with hivemq mqtt-cli I get this log
Restriction request problem information was set but is unused in MQTT Version MQTT_3_1_1
Client '[email protected]' sending CONNECT MqttConnect{keepAlive=60, cleanSession=true, restrictions=MqttConnectRestrictions{receiveMaximum=65535, sendMaximum=65535, maximumPacketSize=268435460, sendMaximumPacketSize=268435460, topicAliasMaximum=0, sendTopicAliasMaximum=16, requestProblemInformation=true, requestResponseInformation=false}}
Client '[email protected]' DISCONNECTED null: com.hivemq.client.mqtt.exceptions.ConnectionFailedException: java.nio.channels.ClosedChannelException
Caused by: java.nio.channels.ClosedChannelException
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1065)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262)
from docker-vernemq.
I checked that the certificates are correct, and the 8883 port is correctly opened, so I guess the error is from the configuration?
Here is the config:
import pulumi
from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
from pulumi_kubernetes.core.v1 import Namespace, Secret
from pulumi_kubernetes.helm.v3 import Chart, ChartOpts
from .env import k8s_provider
# Install the vernemq controller on the cluster
chart_ns = Namespace("vernemq", metadata=ObjectMetaArgs(name="vernemq"))
certificates_secret = Secret(
"vernemq-certificates-secret",
metadata=ObjectMetaArgs(
name="vernemq-certificates-secret", namespace=chart_ns.metadata.name
),
string_data={
"tls.crt": open(
"secrets-data/staging/certs/gsc/gsc.crt", "r", encoding="utf-8"
).read(),
"tls.key": open(
"secrets-data/staging/certs/gsc/private.pem", "r", encoding="utf-8"
).read(),
"ca.crt": open(
"secrets-data/staging/certs/rk/root.crt", "r", encoding="utf-8"
).read(),
},
)
chart = Chart(
"vernemq",
config=ChartOpts(
fetch_opts={"repo": "https://vernemq.github.io/docker-vernemq"},
chart="vernemq",
version="1.8.1",
namespace=chart_ns.metadata.name,
values={
"additionalEnv": [
{"name": "DOCKER_VERNEMQ_ACCEPT_EULA", "value": "yes"},
{"name": "DOCKER_VERNEMQ_ALLOW_ANONYMOUS", "value": "on"},
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__CAFILE",
"value": "/etc/ssl/vernemq/ca.crt",
},
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE",
"value": "/etc/ssl/vernemq/tls.crt",
},
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE",
"value": "/etc/ssl/vernemq/tls.key",
},
],
"persistentVolume": {
"enabled": "true",
"size": "5Gi",
# "storageClass": "..."
},
"service": {
"mqtt": {"enabled": "true", "port": "1883"},
"mqtts": {"enabled": "true", "port": "8883"},
},
"secretMounts": [
{
"name": "vernemq-certificates",
"secretName": "vernemq-certificates-secret",
"path": "/etc/ssl/vernemq",
}
],
},
),
opts=pulumi.ResourceOptions(
provider=k8s_provider, depends_on=[chart_ns, certificates_secret]
),
)
from docker-vernemq.
@maelp there's currently a minor issue coming from configuring default listeners in the release package. Will be fixed in next release.
Disable as much default listeners configs as you can. Then set the MQTTS listener like the one below.
listener.ssl.default=0.0.0.0:8883
listener.ssl.default.keyfile=/etc/ssl/vernemq/tls.key
listener.ssl.default.cafile=/etc/ssl/vernemq/ca.crt
listener.ssl.default.certfile=/etc/ssl/vernemq/tls.crt
if the reconfigure error bothers you, try setting an MQTT default listener too
listener.tcp.default = 127.0.0.1:1883
To arrive at those, you have to translate to the ENV variable format here.
I'll look at that client side error later, maybe related to allowed protocol version?
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
(the error seems to be that the server closes the socket when trying to do a SSL connection)
from docker-vernemq.
I'm using a client which handles MQTT 3,4,5 I think (hive mqtt-cli), I'm not sure what version the VerneMQ server is handling, is that configurable?
from docker-vernemq.
I have seen this error @ioolkos , might be fixed on my currently open PR in VerneMQ but we have to double check
from docker-vernemq.
Here's what I added
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT",
"value": "0.0.0.0:8883",
},
{
"name": "DOCKER_VERNEMQ_LISTENER__TCP__DEFAULT",
"value": "127.0.0.1:1883",
},
from docker-vernemq.
But for now it seems I can't connect to VerneMQ with SSL, but perhaps I can do it using a Nginx in front, but this defeats the purpose of using VerneMQ TLS setting which can be convenient (to auto-set the user with the CommonName)
from docker-vernemq.
I'll do some testing on the branch I've opened with these settings. What does vmq-admin listener show
is telling you @maelp ?
from docker-vernemq.
@maelp MQTT protocol versions can be allowed per listener.
listener.ssl.default.allowed_protocol_versions = 3,4,5
Terminating TLS in HAProxy or similar component is often done, yes. Of course, Verne can also terminate TLS without problems; so we'll find out what's happing here.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
@codeadict this is the result
+--------+---------+-----------+-------+------------+-----------+
| type | status | ip | port | mountpoint | max_conns |
+--------+---------+-----------+-------+------------+-----------+
| http | running | 127.0.0.1 | 8888 | | 10000 |
+--------+---------+-----------+-------+------------+-----------+
| http | running | 10.4.0.8 | 8888 | | 10000 |
+--------+---------+-----------+-------+------------+-----------+
| vmq | running | 10.4.0.8 | 44053 | | 10000 |
+--------+---------+-----------+-------+------------+-----------+
| mqttws | running | 10.4.0.8 | 8080 | | 10000 |
+--------+---------+-----------+-------+------------+-----------+
| mqtt | running | 127.0.0.1 | 1883 | | 10000 |
+--------+---------+-----------+-------+------------+-----------+
| mqtt | running | 10.4.0.8 | 1883 | | 10000 |
+--------+---------+-----------+-------+------------+-----------+
from docker-vernemq.
(weird that there's no mqtts, is that because of the error above?)
from docker-vernemq.
also not sure why there is mqttws although I haven't enabled it?
from docker-vernemq.
If this helps, when I set the log level to debug, I have a lot of these:
08:47:33.345 [debug] Replica meta1: Can't initialize AE exchange due to no peer available
08:47:33.429 [debug] Replica meta9: Can't initialize AE exchange due to no peer available
08:47:33.618 [debug] Replica meta4: Can't initialize AE exchange due to no peer available
08:47:34.507 [debug] Replica meta3: Can't initialize AE exchange due to no peer available
08:47:34.689 [debug] Replica meta8: Can't initialize AE exchange due to no peer available
08:47:34.755 [debug] Replica meta5: Can't initialize AE exchange due to no peer available
08:47:35.127 [debug] Replica meta6: Can't initialize AE exchange due to no peer available
08:47:35.155 [debug] Replica meta10: Can't initialize AE exchange due to no peer available
08:47:35.267 [debug] Replica meta7: Can't initialize AE exchange due to no peer available
from docker-vernemq.
@ioolkos @codeadict when I disable "mqtt" and only enable "mqtts" in the config, I still have the "can't reconfigure mqtts" error
08:54:06.132 [error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[3,4,131]},{allow_anonymous_override,false}] due to {already_started,<0.458.0>}
but then each time I try to connect with SSL I now have this (before I didn't even have a log) and the connection still closes:
09:04:43.371 [warning] session stopped abnormally due to '{cant_parse_connect_fixed_header,<<22,3,3,0,240,1,0,0,236,3,3,114,105,135,159,176,108,221,9,230,83,91,123,59,137,214,40,86,81,117,114,74,34,165,44,40,75,196,182,67,195,180,244,0,0,18,192,44,192,43,192,47,192,48,192,19,192,20,0,156,0,47,0,53,1,0,0,177,0,0,0,25,0,23,0,0,20,119,101,98,45,97,112,112,45,49,46,103,111,117,97,99,104,46,99,111,109,0,5,0,5,1,0,0,0,0,0,10,0,12,0,10,0,29,0,23,0,24,0,25,0,30,0,11,0,2,1,0,0,13,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,50,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,0,0,43,0,3,2,3,3,255,1,0,1,0>>}'
from docker-vernemq.
@maelp the AE exchange logs above are unrelated and harmless (coming from the sync protocol).
There are other users having troubles with MQTTS listeners in the Docker image, apparently: https://erlangforums.com/t/latest-vernemq-not-allowing-tls-traffic-with-self-signed-ca-certificate/2394
I'll need to check that.
Have you enabled listener.ssl.default.allowed_protocol_versions = 3,4,5
?
from docker-vernemq.
@ioolkos I added this, but same error
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__ALLOWED_PROTOCOL_VERSIONS",
"value": "3,4,5",
},
from docker-vernemq.
Btw, the WS listener comes from the fact that we seem to start one via start script, in case the DOCKER_VERNEMQ variable is not set.
Line 214 in 148c27a
from docker-vernemq.
Can you check on the Pod, what the exact config injected into etc/vernemq/vernemq.conf is and post here?
All values injected are at the end of the conf file between ###START### and ###END###.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
@ioolkos this is what I get
########## Start ##########
listener.ssl.use_identity_as_username=on
listener.ssl.allowed_protocol_versions=3,4,5
accept_eula=yes
listener.tcp.default=127.0.0.1:1883
listener.ssl.default=0.0.0.0:8883
listener.ssl.require_certificate=on
listener.ssl.keyfile=/etc/ssl/vernemq/tls.key
listener.ssl.cafile=/etc/ssl/vernemq/ca.crt
log.console=console
listener.tcp.localhost=127.0.0.1:1883
allow_anonymous=on
listener.ssl.certfile=/etc/ssl/vernemq/tls.crt
erlang.distribution.port_range.minimum = 9100
erlang.distribution.port_range.maximum = 9109
listener.ws.default = 10.4.0.13:8080
listener.vmq.clustering = 10.4.0.13:44053
listener.http.metrics = 10.4.0.13:8888
########## End ##########
from docker-vernemq.
Can you also add:
listener.ssl.default.depth = 10
to ensure we're not limited by chain length.
You could also attach to VerneMQ in the Pod by using vernemq attach
.
And then get info with something similar to:
rp(ranch:info({{127,0,0,1},8883})).
(hit Enter)
Detach from Verne with ctrl+g
, then q
.
I'm currently unclear whether you manage to setup an SSL listener or not. (check with vmq-admin listener show
)
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
Adding the default depth of 10 did not change anything
for the command: if I include the final .
(not sure if that was intended), I get the following error:
if I don't include it, I get an empty response
([email protected])1> rp(ranch:info({{127,0,0,1},8883})).
** exception error: bad argument
in function ets:lookup_element/3
called as ets:lookup_element(ranch_server,{listener_sup,{{127,0,0,1},8883}},2)
*** argument 2: not a key that exists in the table
in call from ranch_server:get_listener_sup/1 (/opt/vernemq/_build/default/lib/ranch/src/ranch_server.erl, line 122)
in call from ranch:info/1 (/opt/vernemq/_build/default/lib/ranch/src/ranch.erl, line 434)
([email protected])2> rp(ranch:info({{127,0,0,1},8883}))
([email protected])2>
from docker-vernemq.
If I do it with "1883" instead of "8883" I get this
([email protected])2> rp(ranch:info({{127,0,0,1},1883})).
#{active_connections => 0,all_connections => 0,
ip => {127,0,0,1},
max_connections => 10000,
metrics =>
#{{conns_sup,1,accept} => 0,
{conns_sup,1,terminate} => 0,
{conns_sup,2,accept} => 0,
{conns_sup,2,terminate} => 0,
{conns_sup,3,accept} => 0,
{conns_sup,3,terminate} => 0,
{conns_sup,4,accept} => 0,
{conns_sup,4,terminate} => 0,
{conns_sup,5,accept} => 0,
{conns_sup,5,terminate} => 0,
{conns_sup,6,accept} => 0,
{conns_sup,6,terminate} => 0,
{conns_sup,7,accept} => 0,
{conns_sup,7,terminate} => 0,
{conns_sup,8,accept} => 0,
{conns_sup,8,terminate} => 0,
{conns_sup,9,accept} => 0,
{conns_sup,9,terminate} => 0,
{conns_sup,10,accept} => 0,
{conns_sup,10,terminate} => 0},
pid => <0.458.0>,port => 1883,protocol => vmq_ranch,
protocol_options =>
[{mountpoint,[]},
{allowed_protocol_versions,[3,4,5,131]},
{allow_anonymous_override,false},
{buffer_sizes,undefined}],
status => running,transport => ranch_tcp,
transport_options =>
#{max_connections => 10000,num_acceptors => 10,
socket_opts =>
[{ip,{127,0,0,1}},
{port,1883},
{nodelay,true},
{linger,{true,0}},
{send_timeout,30000},
{send_timeout_close,true}]}}
ok
so I guess for some reason the mqtts handler is not launched, although I think I configured everything? is that related to the error above where it complains that it cannot reconfigure the listener (not sure why it tries to reconfigure the mqtts listener on 1883 instead of 8883?)
from docker-vernemq.
It seems though that the 8883 port is correctly opened (and correctly proxied-through by the ingress-nginx TCP proxy in front), because when I try to make a MQTTS request on 8883 I get this log to appear on the service logs
14:29:10.285 [warning] session stopped abnormally due to '{cant_parse_connect_fixed_header,<<22,3,3,0,240,1,0,0,236,3,3,95,237,223,125,180,210,123,10,168,11,41,16,254,209,7,51,234,66,84,195,188,130,8,2,82,22,116,40,207,75,203,201,0,0,18,192,44,192,43,192,47,192,48,192,19,192,20,0,156,0,47,0,53,1,0,0,177,0,0,0,25,0,23,0,0,20,119,101,98,45,97,112,112,45,49,46,103,111,117,97,99,104,46,99,111,109,0,5,0,5,1,0,0,0,0,0,10,0,12,0,10,0,29,0,23,0,24,0,25,0,30,0,11,0,2,1,0,0,13,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,50,0,40,0,38,4,3,5,3,6,3,8,4,8,5,8,6,8,9,8,10,8,11,4,1,5,1,6,1,4,2,3,3,3,1,3,2,2,3,2,1,2,2,0,17,0,9,0,7,2,0,4,0,0,0,0,0,23,0,0,0,43,0,3,2,3,3,255,1,0,1,0>>}'
from docker-vernemq.
and if I try to send a non-SSL MQTT message on port 8883 (to try), I don't see a log on the server, and the socket is closed immediately
from docker-vernemq.
Yeah, it's weird. Can you add the TLS listener not with 0.0.0.0
but that actual internal IP like the other listeners?
You can add as many TLS listeners on different ports as you want... that 1883 reconfigure thing should not matter here.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
I'm not sure how to do this, since I guess with Kubernetes each time I deploy I might be on a different node IP no?
from docker-vernemq.
for the "1883 reconfigure", the thing which surprises me is that it says both "mqtts" and "1883". Shouldn't it be "8883" that it tries to reconfigure for mqtts?
from docker-vernemq.
The bug with the default listener should be fixed in my branch vernemq/vernemq#2078, if you can build Docker pointing to that it would be great. Although I believe there is still some bug that might have been caused by our latest ranch upgrade, I'm still researching the changes in ranch. But this is what I see:
^C%
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener stop address="127.0.0.1" port=8883
Done
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener show
+-------+---------+-----------+-------+------------+-----------+
| type | status | address | port | mountpoint | max_conns |
+-------+---------+-----------+-------+------------+-----------+
| http | running | 127.0.0.1 | 8888 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
| vmq | running | 0.0.0.0 | 44053 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
| mqtts | stopped | 127.0.0.1 | 8883 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
| mqtt | running | 127.0.0.1 | 1883 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener start address="127.0.0.1" port=8883
can't start listener due to '{already_started,<0.20463.0>}'
codeadict@andromeda vernemq % _build/default/rel/vernemq/bin/vmq-admin listener show
+-------+---------+-----------+-------+------------+-----------+
| type | status | address | port | mountpoint | max_conns |
+-------+---------+-----------+-------+------------+-----------+
| http | running | 127.0.0.1 | 8888 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
| vmq | running | 0.0.0.0 | 44053 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
| mqtts | stopped | 127.0.0.1 | 8883 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
| mqtt | running | 127.0.0.1 | 1883 | | 10000 |
+-------+---------+-----------+-------+------------+-----------+
Notice when I try to start the listener again, it believes it's already started and remains stopped.
from docker-vernemq.
I don't have a build script for the repo now, do you think you will publish an update soon of the package if this fixes the bug?
from docker-vernemq.
@codeadict start and restart in vmq-admin listener
have different purposes. Does restart
work for you?
What I do not understand in the open issue, is why we do not see a MQTTS listener running at all on 8883. (using vmq-admin listener show
)
@maelp to me it looks like the service port is running but not the internal targetport (which is the MQTTS listener).
Maybe you can configure a different port for your MQTTS listener and targetport to decouple things from that 1883/8883 question.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
So you mean I should configure VerneMQ to listen to eg 8884? And have my ingress-nginx do the 8883 -> 8884?
from docker-vernemq.
@ioolkos could the issue come from the Helm template?
from docker-vernemq.
Yeah, that's what I meant.
Helm templates, yes, could also be. Or that secretCert mounts thing. Or maybe special Pulumi magic?
We'll find out :)
Apologies for the friction. Some days Kubernetes just hates us...
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
🤣 yes kubernetes is sometimes a bit complicated
I'll try changing the port.
The secretCert
mount seems to be working, because before I did it a different way (like mentioned in your documentation, I was using the certificates.{cert,key,ca}
options in values.yaml
which are perhaps deprecated?) and it wasn't working, there was an error log, which has now disappeared when using the secretMount way of adding certificates
from docker-vernemq.
I doubt it's due to Pulumi, the only thing Pulumi does is translating some DSL to actual yaml
files for Kubernetes and applying them
from docker-vernemq.
Although this file seems to be handling the certificates
config, so not sure why it wasn't working? https://github.com/vernemq/docker-vernemq/blob/master/helm/vernemq/templates/certificate-secret.yaml
from docker-vernemq.
changing the port to 8884 doesn't change the issue
from docker-vernemq.
For the "certificates" variables issue, could it be because in the certicicates-secret template there is a "$root" which is not in the statefulset file?
from docker-vernemq.
There seems to be an issue in the Docker images for 1.12.6.1
and 1.12.6.2
. The issue is not present in the images for 1.12.3
(the previous official release).
The issue does not seem to be in the Linux packages.
In the 1.12.3
Pod, you can even test a connection from within a VerneMQ shell to its own TLS port:
Eshell V11.2.1 (abort with ^G)
(VerneMQ@maverne-vernemq-0.maverne-vernemq-headless.default.svc.cluster.local)1> {ok, S} = ssl:connect("localhost", 8884, [{cacerts, "/etc/ssl/vernemq/ca.crt"}, {verify, verify_none}]).
{ok,{sslsocket,{gen_tcp,#Port<0.24>,tls_connection,
undefined},
[<0.626.0>,<0.625.0>]}}
This will get {error, close}
on 1.12.6.2
.
Nothing logged in the Verne log, this is a bummer. Investigating. This seems not related to configuration issues. (maybe OpenSSL version?)
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
I think I found the issue. I traced the SSL statemachine and when a connection comes in it gets an enoent error for the ca.crt
file.
The reason for this is that it links to ..data/ca.crt
from /etc/ssl/vernemq/
. It only seems to happen for the ca.crt
file.
vernemq@maverne-vernemq-0:~$ ls -al /etc/ssl/vernemq/
total 4
drwxrwsrwt 3 root vernemq 140 Feb 26 20:05 .
drwxr-xr-x 1 root root 4096 Feb 26 20:05 ..
drwxr-sr-x 2 root vernemq 100 Feb 26 20:05 ..2023_02_26_20_05_39.2948119764
lrwxrwxrwx 1 root vernemq 32 Feb 26 20:05 ..data -> ..2023_02_26_20_05_39.2948119764
lrwxrwxrwx 1 root vernemq 13 Feb 26 20:05 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root vernemq 14 Feb 26 20:05 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root vernemq 14 Feb 26 20:05 tls.key -> ..data/tls.key
Now, I can manually do a mkdir ..data
and copy ca.crt
there, and voilà, the TLS connection is accepted.
Of course, this might be specific to how I set up the certificates (using the secret mount method), so your picture might vary.
But exec into the pod and do a ls -al /etc/ssl/vernemq/
Hopefully we can find a configuration based fix for this.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
I get this indeed:
bash-5.1$ ls -al /etc/ssl/vernemq/
total 4
drwxrwsrwt 3 root vernemq 140 Feb 24 18:02 .
drwxr-xr-x 1 root root 4096 Feb 24 18:02 ..
drwxr-sr-x 2 root vernemq 100 Feb 24 18:02 ..2023_02_24_18_02_56.1832396605
lrwxrwxrwx 1 root vernemq 32 Feb 24 18:02 ..data -> ..2023_02_24_18_02_56.1832396605
lrwxrwxrwx 1 root vernemq 13 Feb 24 18:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root vernemq 14 Feb 24 18:02 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root vernemq 14 Feb 24 18:02 tls.key -> ..data/tls.key
from docker-vernemq.
1.12.3
has the same links, though.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
I found an easy fix for this. Use the full linked path for the CAFILE in your values.yaml
/ENV variables.
- name: DOCKER_VERNEMQ_LISTENER__SSL__CAFILE
value: "/etc/ssl/vernemq/..data/ca.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE
value: "/etc/ssl/vernemq/tls.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE
value: "/etc/ssl/vernemq/tls.key"
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
It might also be interesting to add info / error logs in the pod if the certificates couldn't be loaded correctly, because for now there was no such logs
from docker-vernemq.
Setting the ENV variables explicitly does not seem to solve the issue on my Helm deployment
from docker-vernemq.
it seems to be due to the "cant_parse_connect_fixed_header", is there a way to debug this? Perhaps check whether the bytes do indeed correspond to some valid message?
from docker-vernemq.
Please add listener.ssl.allowed_protocol_versions = 3,4,5
to your config. You can also use a named version:
listener.ssl.default.allowed_protocol_versions = 3,4,5
Also, note that the can't reconfigure mqtts listener
is NOT the central issue at hand here. The issue is that we have an MQTT listener running that runs into trouble loading the CA chain when an actual TLS connection comes in. The reconfigure error log will be fixed separately.
The CA issue is unfortunately not captured by the Verne boot validators. We have 3 simple validators on those cert files: file-exists
, file-is-readable
, and file-is-pem
. They pass & the issue only shows in the Erlang SSL statemachine.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
I guess the reason is that for a self-signed situation the client also needs your specific CAfile with the cert chain.
You probably also need to look into the question of hostname verification.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
Seems to work with those options
{"name": "DOCKER_VERNEMQ_ACCEPT_EULA", "value": "yes"},
{"name": "DOCKER_VERNEMQ_ALLOW_ANONYMOUS", "value": "on"},
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__CAFILE",
"value": "/etc/ssl/vernemq/..data/ca.crt",
},
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE",
"value": "/etc/ssl/vernemq/tls.crt",
},
{
"name": "DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE",
"value": "/etc/ssl/vernemq/tls.key",
},
for some reason, it doesn't work if I don't set explictly DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE
and DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE
although their values are the same as the defaults?
from docker-vernemq.
Ugh, seems like an Heisenbug, I tried deleting the VerneMQ service and recreating it with the same options, and suddenly it no longer works
from docker-vernemq.
Verne only picks up the settings injected into etc/vernemq.conf
in your pod. If in doubt, always look at the last lines in the file.
Yes, I think the SSL_KEYFILE and SSL_CERTFILE need to be set if you want to have an SSL listener.
Be aware that the additional method to configure certs that you see in the main branch was only added 3 weeks ago:
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
@maelp We are facing the same issue. Could you let me know if you managed to fix it?
from docker-vernemq.
@ManuelMueller1st the underlying cause in the packages was fixed but it seems with Helm it can still be an issue.
Please determine what listeners you want to have running.
Then determine which listeners are actually running after a start (vmq-admin listener show
).
Then we can determine which listeners to start manually (by adding to ENV), and which listeners are started implicitly by the service definitions. Possibly we can also just solve it by the naming of the listeners.
👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.
from docker-vernemq.
Related Issues (20)
- Upgrade to alpine 3.17 and change openssl to openssl1.1-compat
- Uncaught target signal 11 (Segmentation fault) - core dumped HOT 5
- VerneMQ cluster not working in Ipv6 only environment on Kubernetes HOT 11
- Container Crashes on DOCKER_VERNEMQ_ALLOW_MULTIPLE_SESSIONS HOT 2
- latest values.yaml mentions 1.13.0-alpine but that doesn't exist in dockerhub HOT 5
- Harcoded spec.type in template api-service.yaml
- some regular questions... HOT 5
- Configuring VerneMQ via Docker Image in Azure container app
- Restart of single node vernemq cluster triggers a cluster-leave scenario HOT 2
- wss and mqtts ports are not properly configured in helm chart
- Error in Kubernetes when not use helm-chart or operator HOT 2
- join_cluster missing in alpine image? HOT 4
- Hard to understand k8s secret name in Helm chart for TLS certificates HOT 4
- Docker swarm deployment with multiple networks not possible HOT 3
- List of CVE Vulnerabilities found in the Alpine Docker image HOT 3
- Helm chart: Configurable securityContext on container level
- Support custom ports on the headless service HOT 2
- Use of imagePullSecrets in the helm chart
- Kubernetes healthcheck gives access denied HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-vernemq.