U1.19 Ubuntu Quick Start (QS): RabbitMq Enable TLS for Inter node Communication and CLI tools - chempkovsky/CS2WPF-and-CS2XAMARIN GitHub Wiki
- Step 1: Consult the article RabbitMq deploy to host
- Step 2: Consult the article RabbitMq Cluster
- Step 3: Consult the article RabbitMq tls-gen
- Step 4: Consult the article RabbitMq TLS folder
- Step 5: Consult the article Enable HTTPS for Management UI
-
We have two virtual machines: u200401 and u200402
- with RabbitMq installed on each virtual machine
- with two RabbitMq instances running as a cluster
- with HTTPS enabled for the Management UI
-
Step 6: Consult the article Securing Cluster (Inter-node) and CLI Tool Communication with TLS (SSL)
- Consult the article Strategy One
- Consult the article Strategy Two
- we have folders
~/tls-gen/basic/result/
/var/lib/rabbitmq/certs/
- we have a file
/etc/rabbitmq/rabbitmq.conf
-
Step 1: create combined_keys.pem-file
- run the commands
cd tls-gen/basic/result
cat server_certificate.pem server_key.pem > combined_keys.pem
cd ~
sudo cp ~/tls-gen/basic/result/combined_keys.pem /var/lib/rabbitmq/certs/
sudo chown -R rabbitmq:rabbitmq /var/lib/rabbitmq/certs
-
Step 2(1): modify rabbitmq-env.conf-file (if the "/etc/rabbitmq/rabbitmq-env.conf"-file exists)
- run the commands:
erl -noinput -eval 'io:format("ERL_SSL_PATH=~s~n", [filename:dirname(code:which(inet_tls_dist))])' -s init stop > /tmp/ssl-path.txt
cat /tmp/ssl-path.txt /etc/rabbitmq/rabbitmq-env.conf > /tmp/new-rabbitmq-env.conf
sudo mv -f /tmp/new-rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf
-
Step 2(2): Create rabbitmq-env.conf-file (if the "/etc/rabbitmq/rabbitmq-env.conf"-file does not exist)
- run the commands:
erl -noinput -eval 'io:format("ERL_SSL_PATH=~s~n", [filename:dirname(code:which(inet_tls_dist))])' -s init stop > /tmp/ssl-path.txt
sudo mv -f /tmp/ssl-path.txt /etc/rabbitmq/rabbitmq-env.conf
- Step 3: Add definitions for SERVER_ADDITIONAL_ERL_ARGS and RABBITMQ_CTL_ERL_ARGS
- run the command
sudo nano /etc/rabbitmq/rabbitmq-env.conf
- Add definitions for SERVER_ADDITIONAL_ERL_ARGS and RABBITMQ_CTL_ERL_ARGS
# Inter-node communication settings
SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH \
-proto_dist inet_tls \
-ssl_dist_opt server_certfile /var/lib/rabbitmq/certs/combined_keys.pem \
-ssl_dist_opt server_password bunnies \
-ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
# Same settings as above but for CLI tools
RABBITMQ_CTL_ERL_ARGS="-pa $ERL_SSL_PATH \
-proto_dist inet_tls \
-ssl_dist_opt server_certfile /var/lib/rabbitmq/certs/combined_keys.pem \
-ssl_dist_opt server_password bunnies \
-ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
- Here is a result
Click to show the picture
- Step 4: modify rabbitmq.conf
- run the command
sudo nano /etc/rabbitmq/rabbitmq.conf
- add ten lines
listeners.tcp = none
# listeners.ssl.1 = 5671
listeners.ssl.default = 5671
ssl_options.versions = tlsv1.3
ssl_options.cacertfile = /var/lib/rabbitmq/certs/ca_certificate.pem
ssl_options.certfile = /var/lib/rabbitmq/certs/server_certificate.pem
ssl_options.keyfile = /var/lib/rabbitmq/certs/server_key.pem
ssl_options.password = bunnies
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
- Here is a result
Click to show the picture
-
Step 5: Restart server
- run the command
sudo systemctl stop rabbitmq-server
sudo systemctl start rabbitmq-server
-
Step 6: Check listeners
- run the command
sudo rabbitmq-diagnostics listeners
Click to show the picture
-
Step 6: Check cluster
- run the command
sudo rabbitmqctl cluster_status
Click to show the picture
-
Step 7: openssl
- run the commands
cd /var/lib/rabbitmq/certs
openssl s_client -connect localhost:5671 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem