Configuring RabbitMQ to use SSL will make it so that:

• HTTPS can be used with the RabbitMQ web admin console
• The AMQPS protocol can be used when making an AMQ connection to RabbitMQ
• SSL is used when using the RabbitMQ CLI tools, such as the rabbitmqctl command

For example, after RabbitMQ has been configured to use SSL, you should be able to access the RabbitMQ web console over HTTPS.

The RabbitMQ configuration file, which by default is located at /etc/rabbitmq/rabbitmq.conf (Erlang format) or /etc/rabbitmq/rabbitmq.config (INI format), will list the SSL directives.

If the conf file in in the INI format, something like this should be displayed.

ssl_options.cacertfile = /var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem
ssl_options.certfile   = /var/lib/rabbitmq/config/certs/server_certificate.pem
ssl_options.keyfile    = /var/lib/rabbitmq/config/certs/server_key.pem
ssl_options.password   = itsasecret
ssl_options.versions.1 = tlsv1.2
management.ssl.port    = 15671

If the rabbitmq.conf file is in Erlang format, and SSL is disabled, something like this should be defined.

{use_ssl, false}

On the other hand, if SSL is enabled, something like this should be defined.

[
  {rabbit, [{ssl_options, [{cacertfile,           "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
                           {certfile,             "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
                           {keyfile,              "/var/lib/rabbitmq/config/certs/server_key.pem"},
                           {password,             "itsasecret"},
                           {verify,               verify_peer},
                           {fail_if_no_peer_cert, true}]}]}
].

If you have 2 or more nodes clustered, the /etc/rabbitmq/rabbitmq-env.conf file should contain something like this. Notice in this example a reference to a file named ssl_dist.config. This file name can be unique, and does not have to be ssl_dist.config. The file must be readable by the rabbitmq user.

SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH
  -proto_dist inet_tls
  -ssl_dist_optfile /etc/rabbitmq/ssl_dist.config"

CTL_ERL_ARGS="-pa $ERL_SSL_PATH
  -proto_dist inet_tls
  -ssl_dist_optfile /etc/rabbitmq/ssl_dist.config"

The -ssl_dist_optfile, which is ssl_dist.config in this example, should contain something like this.

[
  {server, [
    {cacertfile, "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
    {certfile, "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
    {keyfile,  "/var/lib/rabbitmq/config/certs/server_key.pem"},
    {password, "itsasecret"},
    {secure_renegotiate, true},
    {verify, verify_peer},
    {fail_if_no_peer_cert, true}
  ]},
  {client, [
    {cacertfile, "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
    {certfile, "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
    {keyfile, "/var/lib/rabbitmq/config/certs/server_key.pem"},
    {password, "itsasecret"},
    {secure_renegotiate, true},
    {verify, verify_peer},
    {fail_if_no_peer_cert, true}
  ]}
].

The cat command (on Linux) can be used to view the content of each certificate file, which should return something like this.

]# cat certificate.pem
-----BEGIN CERTIFICATE-----
MIIG2zCCBcOgAwIBAgITFwAFD6 . . .
-----END CERTIFICATE-----

The openssl command with the X509, -text, and -noout options can be used to view the actual certificate data.

openssl x509 -text -noout -in certificate.pem

The rabbitmqctl encode command can be used to created an encoded version of the password. In this example, the string "itsasecret" is encoded, using 'foo' as the passphrase for the encoded string.

rabbitmqctl encode itsasecret foo

Something like this should be returned.

Encrypting value ...
{encrypted,<<"T/pCGSrOlDkpnBvUA6mOPe2aTj8UMDZKtB9FIgm0r6ql8QgroXQkaEnejuRNrKms">>}

The rabbitmq.conf file can then be updated to use the encoded string. Notice that this does not remove cleartext passwords, as this simply replaces "itsasecret" with "foo" in the configuration file.

[
  {rabbit, [{ssl_options, [{cacertfile,           "/var/lib/rabbitmq/config/certs/ca_certificate_bundle.pem"},
                           {certfile,             "/var/lib/rabbitmq/config/certs/server_certificate.pem"},
                           {keyfile,              "/var/lib/rabbitmq/config/certs/server_key.pem"},
                           {password,             "itsasecret"},
                             {encrypted, "T/pCGSrOlDkpnBvUA6mOPe2aTj8UMDZKtB9FIgm0r6ql8QgroXQkaEnejuRNrKms"}
                           {verify,               verify_peer},
                           {fail_if_no_peer_cert, true}]}]},
  {config_entry_decoder, [
    {passphrase, "foo"}
   ]
  }
].

When updating the certificate files (e.g. server_certificate.pem, ca_certificate_bundle.pem) with a new certificate, you will need to restart the RabbitMQ service for this change to take effect so that the RabbitMQ web browser console is using the new certificate.