Validate TLS certificate files contain valid PEM data at startup

RabbitMQ currently accepts invalid TLS certificate files at startup
without validation, only failing silently when clients attempt to
connect. This occurs because Erlang's TLS implementation lazily loads
certificates on first connection rather than at configuration time.
Users may not discover misconfigured certificates until production
traffic fails.

This change adds a `pem_file` validator to the cuttlefish schema that
reads certificate files and validates they contain valid PEM data using
`public_key:pem_decode/1`. The validator rejects empty files and files
without valid PEM entries, causing RabbitMQ to fail at startup with a
clear error message identifying the invalid file.

The validator applies to all TLS certificate file mappings across 6
schema files: `cacertfile`, `certfile`, and `keyfile` for main
listeners, definitions import, syslog, HTTP auth backend, LDAP auth
backend, and peer discovery (Consul, etcd, Kubernetes). DH parameter
files continue using the existing `file_accessible` validator since they
are not PEM-encoded certificates.

Fixes #15065

Author: lukebakken

deps/rabbit/priv/schema/rabbit.schema

@@ -175,10 +175,10 @@ end}.
     {datatype, {enum, [true, false]}}]}.
 
 {mapping, "definitions.tls.cacertfile", "rabbit.definitions.ssl_options.cacertfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "definitions.tls.certfile", "rabbit.definitions.ssl_options.certfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "definitions.tls.cert", "rabbit.definitions.ssl_options.cert",
     [{datatype, string}]}.
@@ -214,7 +214,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "definitions.tls.keyfile", "rabbit.definitions.ssl_options.keyfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "definitions.tls.log_alert", "rabbit.definitions.ssl_options.log_alert",
     [{datatype, {enum, [true, false]}}]}.
@@ -316,10 +316,10 @@ end}.
     {datatype, {enum, [true, false]}}]}.
 
 {mapping, "ssl_options.cacertfile", "rabbit.ssl_options.cacertfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "ssl_options.certfile", "rabbit.ssl_options.certfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "ssl_options.cert", "rabbit.ssl_options.cert",
     [{datatype, string}]}.
@@ -373,7 +373,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "ssl_options.keyfile", "rabbit.ssl_options.keyfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "ssl_options.log_level", "rabbit.ssl_options.log_level",
     [{datatype, {enum, [emergency, alert, critical, error, warning, notice, info, debug]}}]}.
@@ -1915,10 +1915,10 @@ end}.
     {datatype, {enum, [true, false]}}]}.
 
 {mapping, "log.syslog.ssl_options.cacertfile", "syslog.protocol",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "log.syslog.ssl_options.certfile", "syslog.protocol",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "log.syslog.ssl_options.cert", "syslog.protocol",
     [{datatype, string}]}.
@@ -1954,7 +1954,7 @@ end}.
     [{datatype, string}]}.
 
 {mapping, "log.syslog.ssl_options.keyfile", "syslog.protocol",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "log.syslog.ssl_options.log_alert", "syslog.protocol",
     [{datatype, {enum, [true, false]}}]}.
@@ -2889,6 +2889,14 @@ fun(File) ->
     end
 end}.
 
+{validator, "pem_file", "PEM file does not exist, cannot be read, or does not contain valid X509 certificate data",
+fun(File) ->
+    case file:read_file(File) of
+        {ok, Bin} -> public_key:pem_decode(Bin) =/= [];
+        _ -> false
+    end
+end}.
+
 {validator, "is_ip", "value should be a valid IP address",
 fun(IpStr) ->
     Res = inet:parse_address(IpStr),

deps/rabbitmq_auth_backend_http/priv/schema/rabbitmq_auth_backend_http.schema

@@ -47,10 +47,10 @@ end}.
     {datatype, {enum, [true, false]}}]}.
 
 {mapping, "auth_http.ssl_options.cacertfile", "rabbitmq_auth_backend_http.ssl_options.cacertfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "auth_http.ssl_options.certfile", "rabbitmq_auth_backend_http.ssl_options.certfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "auth_http.ssl_options.cert", "rabbitmq_auth_backend_http.ssl_options.cert",
     [{datatype, string}]}.
@@ -104,7 +104,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "auth_http.ssl_options.keyfile", "rabbitmq_auth_backend_http.ssl_options.keyfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "auth_http.ssl_options.log_alert", "rabbitmq_auth_backend_http.ssl_options.log_alert",
     [{datatype, {enum, [true, false]}}]}.

deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema

@@ -227,10 +227,10 @@ end}.
     {datatype, {enum, [true, false]}}]}.
 
 {mapping, "auth_ldap.ssl_options.cacertfile", "rabbitmq_auth_backend_ldap.ssl_options.cacertfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "auth_ldap.ssl_options.certfile", "rabbitmq_auth_backend_ldap.ssl_options.certfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "auth_ldap.ssl_options.cert", "rabbitmq_auth_backend_ldap.ssl_options.cert",
     [{datatype, string}]}.
@@ -284,7 +284,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "auth_ldap.ssl_options.keyfile", "rabbitmq_auth_backend_ldap.ssl_options.keyfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "auth_ldap.ssl_options.log_alert", "rabbitmq_auth_backend_ldap.ssl_options.log_alert",
     [{datatype, {enum, [true, false]}}]}.

deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema

@@ -362,10 +362,10 @@ end}.
 {datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.cacertfile", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.cacertfile",
-[{datatype, string}, {validators, ["file_accessible"]}]}.
+[{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.certfile", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.certfile",
-[{datatype, string}, {validators, ["file_accessible"]}]}.
+[{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.cert", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.cert",
 [{datatype, string}]}.
@@ -410,7 +410,7 @@ end
 end}.
 
 {mapping, "cluster_formation.consul.ssl_options.keyfile", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.keyfile",
-[{datatype, string}, {validators, ["file_accessible"]}]}.
+[{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.log_alert", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.log_alert",
 [{datatype, {enum, [true, false]}}]}.

deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema

@@ -183,10 +183,10 @@ end}.
     {datatype, {enum, [verify_peer, verify_none]}}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.cacertfile", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.cacertfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.certfile", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.certfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.cert", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.cert",
     [{datatype, string}]}.
@@ -220,7 +220,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "cluster_formation.etcd.ssl_options.keyfile", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.keyfile",
-    [{datatype, string}, {validators, ["file_accessible"]}]}.
+    [{datatype, string}, {validators, ["pem_file"]}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.log_alert", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.log_alert",
     [{datatype, {enum, [true, false]}}]}.

deps/rabbitmq_peer_discovery_k8s/priv/schema/rabbitmq_peer_discovery_k8s.schema

@@ -115,7 +115,7 @@ end}.
 %% modern keys
 
 {mapping, "cluster_formation.k8s.tls.cacertfile", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.cacertfile",
-    [{datatype, string}, {validators, ["file_accessible"]}
+    [{datatype, string}, {validators, ["pem_file"]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.cacertfile",
@@ -127,7 +127,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "cluster_formation.k8s.tls.certfile", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.certfile",
-    [{datatype, string}, {validators, ["file_accessible"]}
+    [{datatype, string}, {validators, ["pem_file"]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.certfile",
@@ -139,7 +139,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "cluster_formation.k8s.tls.keyfile", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.keyfile",
-    [{datatype, string}, {validators, ["file_accessible"]}
+    [{datatype, string}, {validators, ["pem_file"]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.keyfile",