diff --git a/hooks/rabbit_utils.py b/hooks/rabbit_utils.py index d71edd31..cd5008b9 100644 --- a/hooks/rabbit_utils.py +++ b/hooks/rabbit_utils.py @@ -280,8 +280,10 @@ def enable_ssl(ssl_key, ssl_cert, ssl_port, if ssl_ca: data["ssl_ca_file"] = ssl_ca_file - - return data + + with open(RABBITMQ_CONF, 'w') as rmq_conf: + rmq_conf.write(render_template( + os.path.basename(RABBITMQ_CONF), data)) def execute(cmd, die=False, echo=False): diff --git a/hooks/rabbitmq_server_relations.py b/hooks/rabbitmq_server_relations.py index 9297548c..eb329ba5 100755 --- a/hooks/rabbitmq_server_relations.py +++ b/hooks/rabbitmq_server_relations.py @@ -475,37 +475,32 @@ def configure_rabbit_ssl(): """ ssl_mode, external_ca = _get_ssl_mode() - data = {} if ssl_mode == 'off': if os.path.exists(rabbit.RABBITMQ_CONF): os.remove(rabbit.RABBITMQ_CONF) close_port(config('ssl_port')) reconfigure_client_ssl() - else: - ssl_key = _convert_from_base64(config('ssl_key')) - ssl_cert = _convert_from_base64(config('ssl_cert')) - ssl_ca = _convert_from_base64(config('ssl_ca')) - ssl_port = config('ssl_port') - - # If external managed certs then we need all the fields. - if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and - not all((ssl_key, ssl_cert))): - log('If ssl_key or ssl_cert are specified both are required.', - level=ERROR) - sys.exit(1) - - if not external_ca: - ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert() - - data.update(rabbit.enable_ssl(ssl_key, ssl_cert, ssl_port, ssl_ca, - ssl_only=(ssl_mode == "only"), - ssl_client=False)) - reconfigure_client_ssl(True) - open_port(ssl_port) + return + ssl_key = _convert_from_base64(config('ssl_key')) + ssl_cert = _convert_from_base64(config('ssl_cert')) + ssl_ca = _convert_from_base64(config('ssl_ca')) + ssl_port = config('ssl_port') - with open(rabbit.RABBITMQ_CONF, 'w') as rmq_conf: - rmq_conf.write(rabbit.render_template( - os.path.basename(rabbit.RABBITMQ_CONF), data)) + # If external managed certs then we need all the fields. + if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and + not all((ssl_key, ssl_cert))): + log('If ssl_key or ssl_cert are specified both are required.', + level=ERROR) + sys.exit(1) + + if not external_ca: + ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert() + + rabbit.enable_ssl( + ssl_key, ssl_cert, ssl_port, ssl_ca, + ssl_only=(ssl_mode == "only"), ssl_client=False) + reconfigure_client_ssl(True) + open_port(ssl_port) @hooks.hook('config-changed') diff --git a/templates/rabbitmq.config b/templates/rabbitmq.config index b74d4393..7246ee94 100644 --- a/templates/rabbitmq.config +++ b/templates/rabbitmq.config @@ -1,6 +1,5 @@ [ - {rabbit, [ -{% if ssl_key_file %} + {rabbit, [ {% if ssl_only %} {tcp_listeners, []}, {% else %} @@ -10,18 +9,13 @@ {ssl_options, [ {verify, verify_peer}, {% if ssl_client %} - {fail_if_no_peer_cert, true}, + {fail_if_no_peer_cert, true}, {% else %} - {fail_if_no_peer_cert, false}, -{% endif %} -{% if ssl_ca_file %} - {cacertfile, "{{ ssl_ca_file }}"}, -{% endif %} + {fail_if_no_peer_cert, false}, +{% endif %}{% if ssl_ca_file %} + {cacertfile, "{{ ssl_ca_file }}"}, {% endif %} {certfile, "{{ ssl_cert_file }}"}, {keyfile, "{{ ssl_key_file }}"} - ]}, -{% endif %} - {heartbeat, 60} + ]} ]} -]. - +]. \ No newline at end of file