FreeKB - RabbitMQ SSL/TLS
RabbitMQ - SSL/TLS

By enabling SSL, you should be able to access the RabbitMQ web console over HTTPS.

 

The RabbitMQ configuration file, which by default is located at /etc/rabbitmq/rabbitmq.conf (Erlang format) or /etc/rabbitmq/rabbitmq.config (INI format), will list the SSL directives.

If the conf file in in the INI format, something like this should be displayed.

ssl_options.cacertfile = /var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem
ssl_options.certfile   = /var/lib/rabbitmq/config/certs/server_certificate.pem
ssl_options.keyfile    = /var/lib/rabbitmq/config/certs/server_key.pem
ssl_options.password   = itsasecret
ssl_options.versions.1 = tlsv1.2
management.ssl.port    = 15671

 

If the rabbitmq.conf file is in Erlang format, and SSL is disabled, something like this should be defined.

{use_ssl, false}

 

On the other hand, if SSL is enabled, something like this should be defined.

[
  {rabbit, [{ssl_options, [{cacertfile,           "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
                           {certfile,             "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
                           {keyfile,              "/var/lib/rabbitmq/config/certs/server_key.pem"},
                           {password,             "itsasecret"},
                           {verify,               verify_peer},
                           {fail_if_no_peer_cert, true}]}]}
].

 

If you have 2 or more nodes clustered, the /etc/rabbitmq/rabbitmq-env.conf file should contain something like this. Notice in this example a reference to a file named ssl_dist.config. This file name can be unique, and does not have to be ssl_dist.config. The file must be readable by the rabbitmq user.

SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH
  -proto_dist inet_tls
  -ssl_dist_optfile /etc/rabbitmq/ssl_dist.config"

CTL_ERL_ARGS="-pa $ERL_SSL_PATH
  -proto_dist inet_tls
  -ssl_dist_optfile /etc/rabbitmq/ssl_dist.config"

 

The -ssl_dist_optfile, which is ssl_dist.config in this example, should contain something like this.

[
  {server, [
    {cacertfile, "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
    {certfile, "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
    {keyfile,  "/var/lib/rabbitmq/config/certs/server_key.pem"},
    {password, "itsasecret"},
    {secure_renegotiate, true},
    {verify, verify_peer},
    {fail_if_no_peer_cert, true}
  ]},
  {client, [
    {cacertfile, "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
    {certfile, "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
    {keyfile, "/var/lib/rabbitmq/config/certs/server_key.pem"},
    {password, "itsasecret"},
    {secure_renegotiate, true},
    {verify, verify_peer},
    {fail_if_no_peer_cert, true}
  ]}
].

 

The cat command (on Linux) can be used to view the content of each certificate file, which should return something like this.

]# cat certificate.pem
-----BEGIN CERTIFICATE-----
MIIG2zCCBcOgAwIBAgITFwAFD6 . . .
-----END CERTIFICATE-----

 

The openssl command with the X509, -text, and -noout options can be used to view the actual certificate data.

openssl x509 -text -noout -in certificate.pem

 

The rabbitmqctl encode command can be used to created an encoded version of the password. In this example, the string "itsasecret" is encoded, using 'foo' as the passphrase for the encoded string.

rabbitmqctl encode itsasecret foo

 

Something like this should be returned.

Encrypting value ...
{encrypted,<<"T/pCGSrOlDkpnBvUA6mOPe2aTj8UMDZKtB9FIgm0r6ql8QgroXQkaEnejuRNrKms">>}

 

The rabbitmq.conf file can then be updated to use the encoded string. Notice that this does not remove cleartext passwords, as this simply replaces "itsasecret" with "foo" in the configuration file.

[
  {rabbit, [{ssl_options, [{cacertfile,           "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
                           {certfile,             "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
                           {keyfile,              "/var/lib/rabbitmq/config/certs/server_key.pem"},
                           {password,             "itsasecret"},
                             {encrypted, "T/pCGSrOlDkpnBvUA6mOPe2aTj8UMDZKtB9FIgm0r6ql8QgroXQkaEnejuRNrKms"}
                           {verify,               verify_peer},
                           {fail_if_no_peer_cert, true}]}]},
  {config_entry_decoder, [
    {passphrase, "foo"}
   ]
  }
].

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter a4bf2 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |