[Questions] Cannot upgrade from v3.13 to v4.0 "bad_config_entry_decoder,missing_passphrase" due to a colon in a generated password #14233

Joren-Thijs-KasparSolutions · 2025-07-15T11:00:12Z

Joren-Thijs-KasparSolutions
Jul 15, 2025

Community Support Policy

I have read RabbitMQ's Community Support Policy
I run RabbitMQ 4.x, the only series currently covered by community support
I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.0.9

Erlang version used

27.3.x

Operating system (distribution) used

Linux

How is RabbitMQ deployed?

Kubernetes Operator(s) from Team RabbitMQ

rabbitmq-diagnostics status output

See https://www.rabbitmq.com/docs/cli to learn how to use rabbitmq-diagnostics

I couldn't run this on node 3 since it keeps crashin so I ran these commands on node 1.

rabbitmq-diagnostics status

rabbit-mq-server-0:/$ rabbitmq-diagnostics status
Status of node [email protected] ...
Runtime

OS PID: 11
OS: Linux
Uptime (seconds): 675
Is under maintenance?: false
RabbitMQ version: 3.13.7
RabbitMQ release series support status: see https://www.rabbitmq.com/release-information
Node name: [email protected]
Erlang configuration: Erlang/OTP 26 [erts-14.2.5.10] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]
Crypto library: OpenSSL 3.1.8 11 Feb 2025
Erlang processes: 874 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60

Plugins

Enabled plugin file: /operator/enabled_plugins
Enabled plugins:

 * rabbitmq_prometheus
 * rabbitmq_shovel_management
 * rabbitmq_federation
 * rabbitmq_peer_discovery_k8s
 * accept
 * rabbitmq_peer_discovery_common
 * rabbitmq_shovel
 * amqp10_client
 * prometheus
 * rabbitmq_management
 * rabbitmq_management_agent
 * rabbitmq_web_dispatch
 * amqp_client
 * cowboy
 * cowlib
 * oauth2_client
 * jose

Data directory

Node data directory: /var/lib/rabbitmq/mnesia/[email protected]
Raft data directory: /var/lib/rabbitmq/mnesia/[email protected]/quorum/[email protected]

Config files

 * /etc/rabbitmq/conf.d/10-defaults.conf
 * /etc/rabbitmq/conf.d/10-operatorDefaults.conf
 * /etc/rabbitmq/conf.d/11-default_user.conf
 * /etc/rabbitmq/conf.d/90-userDefinedConfiguration.conf

Log file(s)

 * <stdout>

Alarms

(none)

Memory

Total memory used: 0.1918 gb
Calculation strategy: rss
Memory high watermark setting: 0.4 of available memory, computed to: 1.3744 gb

reserved_unallocated: 0.0779 gb (40.64 %)
code: 0.0437 gb (22.78 %)
other_system: 0.0237 gb (12.38 %)
other_proc: 0.0178 gb (9.28 %)
quorum_queue_procs: 0.0176 gb (9.16 %)
binary: 0.0135 gb (7.05 %)
other_ets: 0.0042 gb (2.18 %)
plugins: 0.0034 gb (1.76 %)
atom: 0.0019 gb (0.97 %)
quorum_ets: 0.0013 gb (0.66 %)
connection_other: 0.0011 gb (0.6 %)
mgmt_db: 0.001 gb (0.5 %)
mnesia: 0.0008 gb (0.4 %)
metrics: 0.0008 gb (0.39 %)
connection_readers: 0.0003 gb (0.13 %)
connection_channels: 0.0002 gb (0.11 %)
msg_index: 0.0001 gb (0.07 %)
metadata_store: 0.0001 gb (0.05 %)
connection_writers: 0.0001 gb (0.03 %)
metadata_store_ets: 0.0 gb (0.02 %)
queue_procs: 0.0 gb (0.01 %)
quorum_queue_dlx_procs: 0.0 gb (0.0 %)
stream_queue_procs: 0.0 gb (0.0 %)
stream_queue_replica_reader_procs: 0.0 gb (0.0 %)
queue_slave_procs: 0.0 gb (0.0 %)
stream_queue_coordinator_procs: 0.0 gb (0.0 %)
allocated_unused: 0.0 gb (0.0 %)

File Descriptors

Total: 347, limit: 1048479
Sockets: 5, limit: 943629

Free Disk Space

Low free disk space watermark: 2.0 gb
Free disk space: 10.4411 gb

Totals

Connection count: 5
Queue count: 105
Virtual host count: 1

Listeners

Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

rabbitmq-diagnostics cluster_status

rabbit-mq-server-0:/$ rabbitmq-diagnostics cluster_status
Cluster status of node [email protected] ...
Basics

Cluster name: rabbit-mq
Total CPU cores available cluster-wide: 4

Disk Nodes

[email protected]
[email protected]
[email protected]

Running Nodes

[email protected]
[email protected]

Versions

[email protected]: RabbitMQ 3.13.7 on Erlang 26.2.5.13
[email protected]: RabbitMQ 3.13.7 on Erlang 26.2.5.13

CPU Cores

Node: [email protected], available CPU cores: 2
Node: [email protected], available CPU cores: 2

Maintenance status

Node: [email protected], status: not under maintenance
Node: [email protected], status: not under maintenance

Alarms

(none)

Network Partitions

(none)

Listeners

Node: [email protected], interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: [email protected], interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Node: [email protected], interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: [email protected], interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Node: [email protected], interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: [email protected], interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Node: [email protected], interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: [email protected], interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Feature flags

Flag: classic_mirrored_queue_version, state: enabled
Flag: classic_queue_type_delivery_support, state: enabled
Flag: detailed_queues_endpoint, state: enabled
Flag: direct_exchange_routing_v2, state: enabled
Flag: drop_unroutable_metric, state: enabled
Flag: empty_basic_get_metric, state: enabled
Flag: feature_flags_v2, state: enabled
Flag: implicit_default_bindings, state: enabled
Flag: khepri_db, state: disabled
Flag: listener_records_in_ets, state: enabled
Flag: maintenance_mode_status, state: enabled
Flag: message_containers, state: enabled
Flag: message_containers_deaths_v2, state: enabled
Flag: quorum_queue, state: enabled
Flag: quorum_queue_non_voters, state: enabled
Flag: restart_streams, state: enabled
Flag: stream_filtering, state: enabled
Flag: stream_queue, state: enabled
Flag: stream_sac_coordinator_unblock_group, state: enabled
Flag: stream_single_active_consumer, state: enabled
Flag: stream_update_config_command, state: enabled
Flag: tracking_records_in_ets, state: enabled
Flag: user_limits, state: enabled
Flag: virtual_host_metadata, state: enabled

Logs from node 1 (with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# More QUEUE SETUP like below
2025-07-15 10:45:44.032155+00:00 [info] <0.1098.0> queue 'kaspar123_roger_bff_api_CreatePaymentHandler' in vhost '/': detected a new leader {'%2F_kaspar123_roger_bff_api_CreatePaymentHandler','[email protected]'} in term 113
2025-07-15 10:45:44.091681+00:00 [info] <0.1080.0> queue 'kaspar123_deed_servicebus_handlers_console_InformCustomerAboutDeedUpdate' in vhost '/': detected a new leader {'%2F_kaspar123_deed_servicebus_handlers_console_InformCustomerAboutDeedUpdate','[email protected]'} in term 181
2025-07-15 10:45:44.142501+00:00 [notice] <0.1122.0> queue 'kaspar123_invoicing_api_CreateMonthlyCustomerInvoices_error' in vhost '/': candidate -> leader in term: 133 machine version: 3
2025-07-15 10:45:44.150470+00:00 [notice] <0.1086.0> queue 'kaspar123_invoicing_api_CheckForExpiredCreditNotes' in vhost '/': candidate -> leader in term: 146 machine version: 3
2025-07-15 10:45:44.201938+00:00 [info] <0.270.0> Running boot step empty_db_check defined by app rabbit
2025-07-15 10:45:44.202064+00:00 [info] <0.270.0> Will not seed default virtual host and user: have definitions to load...
2025-07-15 10:45:44.202106+00:00 [info] <0.270.0> Running boot step rabbit_observer_cli defined by app rabbit
2025-07-15 10:45:44.202330+00:00 [info] <0.270.0> Running boot step rabbit_looking_glass defined by app rabbit
2025-07-15 10:45:44.202649+00:00 [info] <0.270.0> Running boot step rabbit_core_metrics_gc defined by app rabbit
2025-07-15 10:45:44.203277+00:00 [info] <0.270.0> Running boot step background_gc defined by app rabbit
2025-07-15 10:45:44.203605+00:00 [info] <0.270.0> Running boot step routing_ready defined by app rabbit
2025-07-15 10:45:44.203661+00:00 [info] <0.270.0> Running boot step pre_flight defined by app rabbit
2025-07-15 10:45:44.203693+00:00 [info] <0.270.0> Running boot step notify_cluster defined by app rabbit
2025-07-15 10:45:44.203979+00:00 [info] <0.270.0> Running boot step networking defined by app rabbit
2025-07-15 10:45:44.204010+00:00 [info] <0.270.0> Running boot step rabbit_quorum_queue_periodic_membership_reconciliation defined by app rabbit
2025-07-15 10:45:44.204406+00:00 [info] <0.270.0> Running boot step definition_import_worker_pool defined by app rabbit
2025-07-15 10:45:44.204719+00:00 [info] <0.650.0> Starting worker pool 'definition_import_pool' with 2 processes in it
2025-07-15 10:45:44.205499+00:00 [info] <0.794.0> rabbit on node '[email protected]' up
2025-07-15 10:45:44.205618+00:00 [info] <0.270.0> Running boot step cluster_name defined by app rabbit
2025-07-15 10:45:44.205710+00:00 [info] <0.270.0> Setting cluster name to 'rabbit-mq' as configured
2025-07-15 10:45:44.225597+00:00 [info] <0.270.0> Running boot step virtual_host_reconciliation defined by app rabbit
2025-07-15 10:45:44.231904+00:00 [info] <0.270.0> Running boot step direct_client defined by app rabbit
2025-07-15 10:45:44.233516+00:00 [info] <0.270.0> Running boot step rabbit_federation_exchange defined by app rabbitmq_federation
2025-07-15 10:45:44.237812+00:00 [info] <0.794.0> rabbit on node '[email protected]' up
2025-07-15 10:45:44.239750+00:00 [info] <0.270.0> Running boot step rabbit_management_load_definitions defined by app rabbitmq_management
2025-07-15 10:45:44.239903+00:00 [info] <0.1654.0> Resetting node maintenance status
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0> Deprecated features: `management_metrics_collection`: Feature `management_metrics_collection` is deprecated.
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0> By default, this feature can still be used for now.
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0> Its use will not be permitted by default in a future minor RabbitMQ version and the feature will be removed from a future major RabbitMQ version; actual versions to be determined.
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0> To continue using this feature when it is not permitted by default, set the following parameter in your configuration:
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0>     "deprecated_features.permit.management_metrics_collection = true"
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0> To test RabbitMQ as if the feature was removed, set this in your configuration:
2025-07-15 10:45:44.391705+00:00 [warning] <0.1683.0>     "deprecated_features.permit.management_metrics_collection = false"
2025-07-15 10:45:46.586621+00:00 [info] <0.1720.0> Management plugin: HTTP (non-TLS) listener started on port 15672
2025-07-15 10:45:46.586742+00:00 [info] <0.1812.0> Statistics database started.
2025-07-15 10:45:46.587113+00:00 [info] <0.1811.0> Starting worker pool 'management_worker_pool' with 3 processes in it
2025-07-15 10:45:46.600304+00:00 [info] <0.1839.0> Peer discovery: node cleanup is disabled
2025-07-15 10:45:46.603222+00:00 [info] <0.1853.0> Prometheus metrics: HTTP (non-TLS) listener started on port 15692
2025-07-15 10:45:46.603445+00:00 [info] <0.1654.0> Ready to start client connection listeners
2025-07-15 10:45:46.614949+00:00 [info[] <0.1897.0> started TCP listener on [::]:5672
 completed with 9 plugins.
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0> Server startup complete; 9 plugins started.
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_prometheus
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_shovel_management
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_federation
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_peer_discovery_k8s
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_peer_discovery_common
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_shovel
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_management
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_management_agent
2025-07-15 10:45:46.702304+00:00 [info] <0.1654.0>  * rabbitmq_web_dispatch
2025-07-15 10:45:46.858812+00:00 [info] <0.9.0> Time to start RabbitMQ: 10031 ms

# More QUEUE info
# Migration of node 3 starts here

2025-07-15 10:48:21.951175+00:00 [notice] <0.952.0> queue 'kaspar123_determination_service_api_RejectDeterminationHandler' in vhost '/': candidate -> leader in term: 138 machine version: 3                                                                                                                               │
│ 2025-07-15 10:48:27.891960+00:00 [info] <0.8331.0> accepting AMQP connection <0.8331.0> (172.16.34.198:43076 -> 172.16.34.198:5672)                                                                                                                                                                                        │
│ 2025-07-15 10:48:28.317798+00:00 [info] <0.8334.0> accepting AMQP connection <0.8334.0> (172.16.34.198:43086 -> 172.16.34.198:5672)                                                                                                                                                                                        │
│ 2025-07-15 10:48:28.322198+00:00 [info] <0.8334.0> connection <0.8334.0> (172.16.34.198:43086 -> 172.16.34.198:5672) has a client-provided name: Kaspar123.Roger.Bff.Api.Internal                                                                                                                                          │
│ 2025-07-15 10:48:28.324911+00:00 [info] <0.8334.0> connection <0.8334.0> (172.16.34.198:43086 -> 172.16.34.198:5672 - Kaspar123.Roger.Bff.Api.Internal): user 'ruser' authenticated and granted access to vhost '/'                                                                                                        │
│ 2025-07-15 10:48:28.684792+00:00 [info] <0.8460.0> accepting AMQP connection <0.8460.0> (172.16.34.198:43102 -> 172.16.34.198:5672)                                                                                                                                                                                        │
│ 2025-07-15 10:48:28.686541+00:00 [info] <0.8460.0> connection <0.8460.0> (172.16.34.198:43102 -> 172.16.34.198:5672) has a client-provided name: Kaspar123.Invoicing.Api                                                                                                                                                   │
│ 2025-07-15 10:48:28.688475+00:00 [info] <0.8460.0> connection <0.8460.0> (172.16.34.198:43102 -> 172.16.34.198:5672 - Kaspar123.Invoicing.Api): user 'ruser' authenticated and granted access to vhost '/'                                                                                                                 │
│ 2025-07-15 10:48:28.705338+00:00 [info] <0.8331.0> connection <0.8331.0> (172.16.34.198:43076 -> 172.16.34.198:5672) has a client-provided name: Kaspar123.Roger.Bff.Api                                                                                                                                                   │
│ 2025-07-15 10:48:28.707716+00:00 [info] <0.8331.0> connection <0.8331.0> (172.16.34.198:43076 -> 172.16.34.198:5672 - Kaspar123.Roger.Bff.Api): user 'ruser' authenticated and granted access to vhost '/'                                                                                                                 │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0> Deprecated features: `transient_nonexcl_queues`: Feature `transient_nonexcl_queues` is deprecated.                                                                                                                                                                   │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0> By default, this feature can still be used for now.                                                                                                                                                                                                                  │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0> Its use will not be permitted by default in a future minor RabbitMQ version and the feature will be removed from a future major RabbitMQ version; actual versions to be determined.                                                                                  │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0> To continue using this feature when it is not permitted by default, set the following parameter in your configuration:                                                                                                                                               │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0>     "deprecated_features.permit.transient_nonexcl_queues = true"                                                                                                                                                                                                     │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0> To test RabbitMQ as if the feature was removed, set this in your configuration:                                                                                                                                                                                      │
│ 2025-07-15 10:48:29.706401+00:00 [warning] <0.8479.0>     "deprecated_features.permit.transient_nonexcl_queues = false"                                                                                                                                                                                                    │
│ 2025-07-15 10:48:52.263505+00:00 [info] <0.9443.0> accepting AMQP connection <0.9443.0> (172.16.34.198:58094 -> 172.16.34.198:5672)                                                                                                                                                                                        │
│ 2025-07-15 10:48:52.267099+00:00 [info] <0.9443.0> connection <0.9443.0> (172.16.34.198:58094 -> 172.16.34.198:5672) has a client-provided name: Kaspar123.CaseAdmin.Bff.Api                                                                                                                                               │
│ 2025-07-15 10:48:52.269302+00:00 [info] <0.9443.0> connection <0.9443.0> (172.16.34.198:58094 -> 172.16.34.198:5672 - Kaspar123.CaseAdmin.Bff.Api): user 'ruser' authenticated and granted access to vhost '/'                                                                                                             │
│ 2025-07-15 10:48:52.276938+00:00 [info] <0.9466.0> accepting AMQP connection <0.9466.0> (172.16.34.198:58106 -> 172.16.34.198:5672)                                                                                                                                                                                        │
│ 2025-07-15 10:48:52.278437+00:00 [info] <0.9466.0> connection <0.9466.0> (172.16.34.198:58106 -> 172.16.34.198:5672) has a client-provided name: Kaspar123.Deed.Api                                                                                                                                                        │
│ 2025-07-15 10:48:52.280701+00:00 [info] <0.9466.0> connection <0.9466.0> (172.16.34.198:58106 -> 172.16.34.198:5672 - Kaspar123.Deed.Api): user 'ruser' authenticated and granted access to vhost '/'

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# More Logs about QUEUE'S
#Migration of Node 3 starts here

2025-07-15 10:48:21.930585+00:00 [info] <0.937.0> {'%2F_kaspar123_determination_service_api_RejectDeterminationHandler','[email protected]'}: granting vote for {'%2F_kaspar123_determination_service_api_RejectDeterminationHandler','[email protected] │
│ spar123-test'} with last indexterm {346,136} for term 138 previous term was 138                                                                                                                                                                                                                                            │
│ 2025-07-15 10:48:21.952254+00:00 [info] <0.937.0> {'%2F_kaspar123_determination_service_api_RejectDeterminationHandler','[email protected]'}: detected a new leader {'%2F_kaspar123_determination_service_api_RejectDeterminationHandler','[email protected] │
│ s.kaspar123-test'} in term 138                                                                                                                                                                                                                                                                                             │
│ 2025-07-15 10:48:22.271390+00:00 [info] <0.12360.0> accepting AMQP connection <0.12360.0> (172.16.35.178:51486 -> 172.16.35.178:5672)                                                                                                                                                                                      │
│ 2025-07-15 10:48:22.283224+00:00 [info] <0.12363.0> accepting AMQP connection <0.12363.0> (172.16.35.178:51498 -> 172.16.35.178:5672)                                                                                                                                                                                      │
│ 2025-07-15 10:48:22.283571+00:00 [info] <0.12366.0> accepting AMQP connection <0.12366.0> (172.16.35.178:51506 -> 172.16.35.178:5672)                                                                                                                                                                                      │
│ 2025-07-15 10:48:22.284697+00:00 [info] <0.12366.0> connection <0.12366.0> (172.16.35.178:51506 -> 172.16.35.178:5672) has a client-provided name: Kaspar123.Deed.Servicebus.Handlers.Console                                                                                                                              │
│ 2025-07-15 10:48:22.285881+00:00 [info] <0.12366.0> connection <0.12366.0> (172.16.35.178:51506 -> 172.16.35.178:5672 - Kaspar123.Deed.Servicebus.Handlers.Console): user 'ruser' authenticated and granted access to vhost '/'                                                                                            │
│ 2025-07-15 10:48:23.267538+00:00 [info] <0.12360.0> connection <0.12360.0> (172.16.35.178:51486 -> 172.16.35.178:5672) has a client-provided name: Kaspar123.Signing.Servicebus.Handlers.Console                                                                                                                           │
│ 2025-07-15 10:48:23.269173+00:00 [info] <0.12360.0> connection <0.12360.0> (172.16.35.178:51486 -> 172.16.35.178:5672 - Kaspar123.Signing.Servicebus.Handlers.Console): user 'ruser' authenticated and granted access to vhost '/'                                                                                         │
│ 2025-07-15 10:48:23.272039+00:00 [info] <0.12363.0> connection <0.12363.0> (172.16.35.178:51498 -> 172.16.35.178:5672) has a client-provided name: Kaspar123.Customer.Servicebus.Handlers.Console                                                                                                                          │
│ 2025-07-15 10:48:23.274559+00:00 [info] <0.12363.0> connection <0.12363.0> (172.16.35.178:51498 -> 172.16.35.178:5672 - Kaspar123.Customer.Servicebus.Handlers.Console): user 'ruser' authenticated and granted access to vhost '/'                                                                                        │
│ 2025-07-15 10:48:28.180468+00:00 [info] <0.12659.0> accepting AMQP connection <0.12659.0> (172.16.35.178:51520 -> 172.16.35.178:5672)                                                                                                                                                                                      │
│ 2025-07-15 10:48:28.182267+00:00 [info] <0.12659.0> connection <0.12659.0> (172.16.35.178:51520 -> 172.16.35.178:5672) has a client-provided name: Kaspar123.ProductCatalogue.Servicebus.Handlers.Console                                                                                                                  │
│ 2025-07-15 10:48:28.183751+00:00 [info] <0.12659.0> connection <0.12659.0> (172.16.35.178:51520 -> 172.16.35.178:5672 - Kaspar123.ProductCatalogue.Servicebus.Handlers.Console): user 'ruser' authenticated and granted access to vhost '/'

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

=INFO REPORT==== 15-Jul-2025::07:18:23.665360 ===
    alarm_handler: {set,{system_memory_high_watermark,[]}}

BOOT FAILED
===========
Exception during startup:

throw:{bad_config_entry_decoder,missing_passphrase}

    rabbit_prelaunch_conf:decrypt_app/3, line 514
    rabbit_prelaunch_conf:decrypt_config/2, line 494
    rabbit_prelaunch_conf:setup/1, line 59
    rabbit_prelaunch:do_run/0, line 113
    rabbit_prelaunch:run_prelaunch_first_phase/0, line 32
    supervisor:do_start_child_i/3, line 959
    supervisor:do_start_child/3, line 945
    supervisor:-start_children/2-fun-0-/3, line 929

2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> 
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> BOOT FAILED
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> ===========
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> Exception during startup:
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> 
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> throw:{bad_config_entry_decoder,missing_passphrase}
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> 
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     rabbit_prelaunch_conf:decrypt_app/3, line 514
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     rabbit_prelaunch_conf:decrypt_config/2, line 494
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     rabbit_prelaunch_conf:setup/1, line 59
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     rabbit_prelaunch:do_run/0, line 113
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     rabbit_prelaunch:run_prelaunch_first_phase/0, line 32
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     supervisor:do_start_child_i/3, line 959
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     supervisor:do_start_child/3, line 945
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0>     supervisor:-start_children/2-fun-0-/3, line 929
2025-07-15 07:18:24.599845+00:00 [error] <0.153.0> 
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>     supervisor: {local,rabbit_prelaunch_sup}
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>     errorContext: start_error
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>     reason: {bad_config_entry_decoder,missing_passphrase}
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>     offender: [{pid,undefined},
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>                {id,prelaunch},
2025-07-15 07:18:25.614599+00:00 [error[] <0.153.0>                {mfargs,{rabbit_prelaunch,run_prelaunch_first_phase,]}},
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>                {restart_type,transient},
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>                {significant,false},
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>                {shutdown,5000},
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0>                {child_type,worker}]
2025-07-15 07:18:25.614599+00:00 [error] <0.153.0> 
2025-07-15 07:18:25.615180+00:00 [notice[] <0.45.0> Application rabbitmq_prelaunch exited with reason: {{shutdown,{failed_to_start_child,prelaunch,{bad_config_entry_decoder,missing_passphrase}}},{rabbit_prelaunch_app,start,[normal,[]]}}
{exit,terminating,[{application_controller,call,2,[{file,"application_controller.erl"},{line,511}]},{application,'-ensure_all_started/3-lc$^0/1-0-',1,[{file,"application.erl"},{line,367}]},{application,ensure_all_started,3,[{file,"application.erl"},{line,367}]},{rabbit,'-start_it/1-fun-0-',1,[{file,"rabbit.erl"},{line,423}]},{timer,tc,2,[{file,"timer.erl"},{line,595}]},{rabbit,start_it,1,[{file,"rabbit.erl"},{line,421}]},{init,start_it,1,[]},{init,start_em,1,]}]}
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>   crasher:
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     initial call: application_master:init/3
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     pid: <0.151.0>
2025-07-15 07:18:25.615961+00:00 [error[] <0.151.0>     registered_name: ]
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     exception exit: {{shutdown,
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>                          {failed_to_start_child,prelaunch,
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>                              {bad_config_entry_decoder,missing_passphrase}}},
2025-07-15 07:18:25.615961+00:00 [error[] <0.151.0>                      {rabbit_prelaunch_app,start,[normal,[]]}}
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>       in function  application_master:init/3 (application_master.erl, line 143)
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     ancestors: [application_controller,<0.10.0>]
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     message_queue_len: 1
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     messages: [{'EXIT',<0.152.0>,normal}]
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     links: [<0.45.0>]
2025-07-15 07:18:25.615961+00:00 [error[] <0.151.0>     dictionary: ]
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     trap_exit: true
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     status: running
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     heap_size: 233
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     stack_size: 29
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>     reductions: 68
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0>   neighbours:
2025-07-15 07:18:25.615961+00:00 [error] <0.151.0> 
2025-07-15 07:18:25.629024+00:00 [notice] <0.84.0>     alarm_handler: {clear,system_memory_high_watermark}
Kernel pid terminated (application_controller) ("{application_start_failure,rabbitmq_prelaunch,{{shutdown,{failed_to_start_child,prelaunch,{bad_config_entry_decoder,missing_passphrase}}},{rabbit_prelaunch_app,start,[normal,[]]}}}")

stream closed EOF for kaspar123-test/rabbit-mq-server-2 (rabbitmq)

rabbitmq.conf

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find rabbitmq.conf file location

rabbit-mq-server-2:/$ ls /etc/rabbitmq/conf.d/
10-defaults.conf                  10-operatorDefaults.conf          11-default_user.conf              90-userDefinedConfiguration.conf

10-defaults.conf

## DEFAULT SETTINGS ARE NOT MEANT TO BE TAKEN STRAIGHT INTO PRODUCTION
## see https://www.rabbitmq.com/configure.html for further information
## on configuring RabbitMQ

## allow access to the guest user from anywhere on the network
## https://www.rabbitmq.com/access-control.html#loopback-users
## https://www.rabbitmq.com/production-checklist.html#users
loopback_users.guest = false

## Send all logs to stdout/TTY. Necessary to see logs when running via
## a container
log.console = true

10-operatorDefaults.conf

queue_master_locator                       = min-masters
disk_free_limit.absolute                   = 2GB
cluster_partition_handling                 = pause_minority
cluster_formation.peer_discovery_backend   = rabbit_peer_discovery_k8s
cluster_formation.k8s.host                 = kubernetes.default
cluster_formation.k8s.address_type         = hostname
cluster_formation.target_cluster_size_hint = 3
cluster_name                               = rabbit-mq
auth_mechanisms.1                          = PLAIN
auth_mechanisms.2                          = AMQPLAIN

11-default_user.conf

default_user = ruser
default_pass = {MySecretPassword}

90-userDefinedConfiguration.conf

total_memory_available_override_value = 3435973837
management.path_prefix                = /rmq-mgmt

Steps to deploy RabbitMQ cluster

Our RabbitMQ cluster is controlled by A rabbitMQ operator on kubernetes. We specify the version of RabbitMQ we want and the required plugins. Then the operator will perform a Rolling upgrade of each Rabbitmq node until each node in the cluster has the same version. The operator config is a yaml file that is applied to the AKS cluster by a Azure Release pipeline. The pipeline uses the kubectl apply command.

Steps to reproduce the behavior in question

Currrently the cluster is running v3.13. When I upgrade the cluster operator config to use Rabbitmq:4.0-management-alpine, the first node is upgraded but fails to start due to a throw:{bad_config_entry_decoder,missing_passphrase} Error.

advanced.config

N/A

Application code

N/A

Kubernetes deployment file

apiVersion: v1
metadata:
  name: rabbit-mq-default-user
data:
  default_user.conf: ${default_user_conf_b64}$
  username: ${rabbitmq_username_b64}$
  password: ${rabbitmq_password_b64}$
  provider: cmFiYml0bXE= # base64 encoded 'rabbitmq' is always the same
  type: cmFiYml0bXE= # base64 encoded 'rabbitmq' is always the same
kind: Secret
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rabbit-mq
  labels:
    app: rabbit-mq
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
        - ${HOSTNAME}$
      secretName: common-tls-secret
  rules:
    - host: ${HOSTNAME}$
      http:
        paths:
          - path: /rmq-mgmt
            pathType: Prefix
            backend:
              service:
                name: rabbit-mq
                port:
                  number: 15672
---
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
  name: rabbit-mq
spec:
  resources:
    requests:
      cpu: 1
      memory: 4Gi
    limits:
      cpu: 2
      memory: 4Gi
  image: rabbitmq:4.0-management-alpine # We pin the minor version to avoid feature-flags conflicts between nodes in a cluster. See https://www.rabbitmq.com/feature-flags.html
  replicas: 3 # Must be an odd number, see https://www.rabbitmq.com/clustering.html#node-count
  override:
    statefulSet:
      spec:
        template:
          metadata:
            annotations:
              config.linkerd.io/default-inbound-policy: all-unauthenticated
              co.elastic.metrics/module: rabbitmq
              co.elastic.metrics/hosts: "${data.host}:15672/rmq-mgmt"
              co.elastic.metrics/metricsets: "node, queue"
              co.elastic.metrics/period: 180s
              co.elastic.metrics/username: ${kubernetes.${k8s-namespace}$.rabbit-mq-default-user.username}
              co.elastic.metrics/password: ${kubernetes.${k8s-namespace}$.rabbit-mq-default-user.password}
  rabbitmq:
    additionalConfig: |
      management.path_prefix = /rmq-mgmt
    additionalPlugins:
      - rabbitmq_shovel
      - rabbitmq_shovel_management
      - rabbitmq_delayed_message_exchange

What problem are you trying to solve?

I am currently running upgrades to update our RabbitMQ clusters on k8s from 3.11 to the latest 4.1.
We have multiple environments dev, test and prod.

I upgraded RabbitMQ on our dev environment from version v3.11 to v4.1 without any issues. Upgrading one version at a time and enabling all stable feature flags in the management UI before proceeding.

Now I am repeating the same steps on our Test environement using the same configuration.
But when I try to upgrade from v3.13 to v4.0 RabbitMQ fails to start with the following error:

throw:{bad_config_entry_decoder,missing_passphrase} (See logs from node 3)

I looked around but couldn't find any other user who ran into that error.
When I downgrade the cluster back to v3.13 the failing nodes starts back up as a v3.13 node without any issues. All stable feature flags are enabled in the Management UI:

Can anyone please help?

Answered by Joren-Thijs-KasparSolutions

Aug 9, 2025

Found it! It turned out the Randomly generated password we use for RabbitMQ had a : character in it (MyPass:w0rd). Since v4.0 this causes RabbitMQ to think it has encountered an encrypted value. Rotating the passwords without special characters fixed the issue.

View full answer

lukebakken · 2025-07-15T13:51:39Z

lukebakken
Jul 15, 2025
Maintainer

{bad_config_entry_decoder,missing_passphrase}

That error means that a configuration file is using an encrypted secret, and when RabbitMQ starts, the passphrase is not being provided.

Since you have one environment that upgraded successfully, and one that didn't, you must very carefully determine what is different between the two environments.

I would start by examining / diffing the configuration in each cluster's running containers. I'm not 100% certain on k8s, but RabbitMQ configs usually live in /etc/rabbitmq. Be sure to check rabbitmq.conf and advanced.config.

8 replies

michaelklishin Jul 17, 2025
Maintainer

{config_entry_decoder,[{passphrase,undefined}]},

confirms that the passphrase for encrypted value decoding is not configured.

We will not suggest anything more for 3.13.x, a series out of community support.

Joren-Thijs-KasparSolutions Jul 18, 2025
Author

I am not asking for 3.13.x. The error on startup happens on a supported 4.x version that I am trying to upgrade too. And my currently supported 4.1 dev cluster that I did upgrade also has the passphrase for encrypted value decoding not configured. So why does it work on A but not on B? Is there a way to tell rabbitmq to ignore it? And can I add a passphrase later to a previously unencrypted version or will that cause problems?

michaelklishin Jul 18, 2025
Maintainer

Not using {encrypted, …} values should be enough. The exception is thrown in rabbit_prelaunch_conf:config_entry_decoder_to_algo/1, a function that's only called before a encrypted value is decrypted:

decrypt({encrypted, _} = EncValue,
        {Cipher, Hash, Iterations, PassPhrase} = Algo) ->
    {rabbit_pbe:decrypt_term(Cipher, Hash, Iterations, PassPhrase, EncValue),
     Algo};
decrypt({encrypted, _} = EncValue,
        ConfigEntryDecoder)
  when is_list(ConfigEntryDecoder) ->
    Algo = config_entry_decoder_to_algo(ConfigEntryDecoder),
    decrypt(EncValue, Algo);
decrypt(List, Algo) when is_list(List) ->
    decrypt_list(List, Algo, []);
decrypt(Value, Algo) ->
    {Value, Algo}.

In rabbitmq.conf, {encrypted, Value} values have the form of encrypted:Value. I doubt that it can be a result of a randomly generated string.

Joren-Thijs-KasparSolutions Aug 9, 2025
Author

Found it! It turned out the Randomly generated password we use for RabbitMQ had a : character in it (MyPass:w0rd). Since v4.0 this causes RabbitMQ to think it has encountered an encrypted value. Rotating the passwords without special characters fixed the issue.

Answer selected by Joren-Thijs-KasparSolutions

michaelklishin Aug 10, 2025
Maintainer

Thank you, even value escaping wouldn't have helped here (the parser considers the single quotes after parsing the {previs}: part.

I have documented this behavior explicitly.

michaelklishin Aug 10, 2025
Maintainer

Kyorai/cuttlefish#56

michaelklishin Aug 11, 2025
Maintainer

Kyorai/cuttlefish#57

michaelklishin · 2025-08-11T02:19:06Z

michaelklishin
Aug 11, 2025
Maintainer

This limitation will addressed in Cuttlefish 3.5.0 that is currently expected to ship in RabbitMQ 4.2.0 and 4.1.4.

0 replies

[Questions] Cannot upgrade from v3.13 to v4.0 "bad_config_entry_decoder,missing_passphrase" due to a colon in a generated password #14233

Uh oh!

Uh oh!

Joren-Thijs-KasparSolutions Jul 15, 2025

Community Support Policy

RabbitMQ version used

Erlang version used

Operating system (distribution) used

How is RabbitMQ deployed?

rabbitmq-diagnostics status output

rabbitmq-diagnostics status

rabbitmq-diagnostics cluster_status

Logs from node 1 (with sensitive values edited out)

Logs from node 2 (if applicable, with sensitive values edited out)

Logs from node 3 (if applicable, with sensitive values edited out)

rabbitmq.conf

10-defaults.conf

10-operatorDefaults.conf

11-default_user.conf

90-userDefinedConfiguration.conf

Steps to deploy RabbitMQ cluster

Steps to reproduce the behavior in question

advanced.config

Application code

Kubernetes deployment file

What problem are you trying to solve?

Replies: 2 comments · 8 replies

Uh oh!

lukebakken Jul 15, 2025 Maintainer

Uh oh!

michaelklishin Jul 17, 2025 Maintainer

Uh oh!

Joren-Thijs-KasparSolutions Jul 18, 2025 Author

Uh oh!

michaelklishin Jul 18, 2025 Maintainer

Uh oh!

Uh oh!

Joren-Thijs-KasparSolutions Aug 9, 2025 Author

Uh oh!

Uh oh!

michaelklishin Aug 10, 2025 Maintainer

Uh oh!

michaelklishin Aug 10, 2025 Maintainer

Uh oh!

michaelklishin Aug 11, 2025 Maintainer

Uh oh!

michaelklishin Aug 11, 2025 Maintainer

Joren-Thijs-KasparSolutions
Jul 15, 2025

Replies: 2 comments 8 replies

lukebakken
Jul 15, 2025
Maintainer

michaelklishin Jul 17, 2025
Maintainer

Joren-Thijs-KasparSolutions Jul 18, 2025
Author

michaelklishin Jul 18, 2025
Maintainer

Joren-Thijs-KasparSolutions Aug 9, 2025
Author

michaelklishin Aug 10, 2025
Maintainer

michaelklishin Aug 10, 2025
Maintainer

michaelklishin Aug 11, 2025
Maintainer

michaelklishin
Aug 11, 2025
Maintainer