How to enable TLS communication for OTP (eg. gen_server)

Questions / Help
1

i have created a self-signed certificate and configured this into a gen_server.

[
  {server, [
    {certfile, "/home/xxxx/tlstest/spx.pem"},
    {log_level, debug},
    {log_alert, true},
    {secure_renegotiate, true}
  ]},
  {client, [
    {secure_renegotiate, true}
  ]}
].

i started the server and checked using openssl

openssl s_client -connect  spx:<port>  -prexit

a lot of debug output is displayed on the server side and the openssl-output looks reasonable t me.

when i try to call a server function from another node

erl -name d1 -setcookie t_cook -proto_dist inet_tls -ssl_dist_optfile "/home/xxxx/tlstest/inet_tls_pem.conf"
gen_server:call({t, 'dev-t@spx.xxx.de'}, xx).
(d1@bku.xxxx.de)1> gen_server:call({t, 'dev-t@spx.xxxx.de'}, xx).
** exception exit: {{nodedown,'dev-t@spx.xxxx.de'},
                    {gen_server,call,[{t,'dev-t@spx.xxxx.de'},xx]}}
     in function  gen_server:call/2 (gen_server.erl, line 1142)

nothing is displayed on the server side.

when i remove the tls config (remove -proto_dist inet_tls and -ssl_dist_optfile) on both sides gen_server:call succeeds.

my environment: debian linux, Erlang/OTP 27 [erts-15.2.2]

i feel that i have missed something but do not have clue what it might be.

addendum:

net_kernel:connect_node('dev-t@bku.xxxx.de').

just displays false

2

Did you set a cookie file? When you try call gen_server from other server - did you run net_adm:ping('dev-t@spx.xxx.de'). from shell? Please, also, provide a full stack trace of error from Erlang shell. Also, please read careful documentation Erlang Distribution over TLS — ssl v11.2.7.

3

i could solve this issue myself by adding
‘’’
{cacertfile, “…” },
‘’’
to the configuration of both sides and replacing -sname by -name on both sides.

4

remark: it’s working now including sni and peer verification. i must admit that i was kind of confused by Erlang Distribution over TLS — ssl v11.2.7 as things are much simpler when you have an otp appication and use rebar3.

5

fwiw, I also struggled with the OTP docs, so I wrote it all up as a blog post: Erlang TLS Distribution | Roger's Blog

1 Like
6

It reassures me to see that it wasn’t just me.

7

Could someone please help? I am using RabbitMQ version 3.13.3 and Erlang version 26.2.5.1.
I am facing an issue where the rabbitmqctl status command is not working. I am getting the following error with the current rabbitmq-env.conf configuration

RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS=“-pa ${ERL_SSL_PATH} -proto_dist inet_tls -proto_dist inet_tls -ssl_dist_opt server_certfile /data/rabbitmq/certs/server/rabbit.pem -ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true”

RABBITMQ_CTL_ERL_ARGS=“-pa ${ERL_SSL_PATH} -proto_dist inet_tls -ssl_dist_opt server_certfile /data/rabbitmq/certs/server/rabbit.pem -ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true”

RABBITMQ_PLUGINS_ERL_ARGS=“-pa ${ERL_SSL_PATH} -proto_dist inet_tls -ssl_dist_opt server_certfile /data/rabbitmq/certs/server/rabbit.pem -ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true”_

[rabbit@node]$ /usr/lib/rabbitmq/bin/rabbitmqctl status
Error: unable to perform an operation on node ‘rabbit@node’. Please see diagnostics information and suggestions below.

Most common reasons for this are:

  • Target node is unreachable (e.g. due to hostname resolution, TCP connection or firewall issues)
  • CLI tool fails to authenticate with the server (e.g. due to CLI tool’s Erlang cookie not matching that of the server)
  • Target node is not running

In addition to the diagnostics info below:

  • See the CLI, clustering and networking guides on RabbitMQ Documentation | RabbitMQ to learn more
  • Consult server logs on node rabbit@node
  • If target node is configured to use long node names, don’t forget to use --longnames with CLI tools

DIAGNOSTICS

attempted to contact: [‘rabbit@node’]

rabbit@node:

  • connected to epmd (port 4369) on node
  • epmd reports node ‘rabbit’ uses port 25672 for inter-node and CLI tool traffic
  • TCP connection succeeded but Erlang distribution failed
  • suggestion: check if the Erlang cookie is identical for all server nodes and CLI tools
  • suggestion: check if all server nodes and CLI tools use consistent hostnames when addressing each other
  • suggestion: check if inter-node connections may be configured to use TLS. If so, all nodes and CLI tools must do that
  • suggestion: see the CLI, clustering and networking guides on RabbitMQ Documentation | RabbitMQ to learn more

Current node details:

  • node name: ‘rabbitmqcli-846-rabbit@node’
  • effective user’s home directory: /data/rabbitmq
  • Erlang cookie hash: S2emRi+iF1PhWmw3i4myjg==

But when I changed the -proto_dist inet_tcp, it started working.
However, after going through the documentation, I found that the inet_tcp option is not very secure, so I still need to enable the inet_tls option

RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS=“-pa ${ERL_SSL_PATH} -proto_dist inet_tcp -ssl_dist_opt server_certfile /data/rabbitmq/certs/server/rabbit.pem -ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true”

RABBITMQ_CTL_ERL_ARGS=“-pa ${ERL_SSL_PATH} -proto_dist inet_tcp -ssl_dist_opt server_certfile /data/rabbitmq/certs/server/rabbit.pem -ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true”

RABBITMQ_PLUGINS_ERL_ARGS=“-pa ${ERL_SSL_PATH} -proto_dist inet_tcp -ssl_dist_opt server_certfile /data/rabbitmq/certs/server/rabbit.pem -ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true”

Could you guys please help how can resolve this issue to use the TLS [tried all the cipher addition in rabbitmq-env.conf but still ‘rabbitmqctl status’ cli failing]