U1.19 Ubuntu Quick Start (QS): RabbitMq Enable TLS for Inter node Communication and CLI tools - chempkovsky/CS2WPF-and-CS2XAMARIN GitHub Wiki

Preliminary steps

As a Result

On both virtual machines

  • we have folders
~/tls-gen/basic/result/
/var/lib/rabbitmq/certs/
  • we have a file
/etc/rabbitmq/rabbitmq.conf

u200401 and u200402 virtual machines: Strategy One

  • Step 1: create combined_keys.pem-file
    • run the commands
cd tls-gen/basic/result
cat server_certificate.pem server_key.pem > combined_keys.pem
cd ~
sudo cp ~/tls-gen/basic/result/combined_keys.pem /var/lib/rabbitmq/certs/
sudo chown -R rabbitmq:rabbitmq /var/lib/rabbitmq/certs
  • Step 2(1): modify rabbitmq-env.conf-file (if the "/etc/rabbitmq/rabbitmq-env.conf"-file exists)
    • run the commands:
erl -noinput -eval 'io:format("ERL_SSL_PATH=~s~n", [filename:dirname(code:which(inet_tls_dist))])' -s init stop > /tmp/ssl-path.txt
cat /tmp/ssl-path.txt /etc/rabbitmq/rabbitmq-env.conf > /tmp/new-rabbitmq-env.conf
sudo mv -f /tmp/new-rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf
  • Step 2(2): Create rabbitmq-env.conf-file (if the "/etc/rabbitmq/rabbitmq-env.conf"-file does not exist)
    • run the commands:
erl -noinput -eval 'io:format("ERL_SSL_PATH=~s~n", [filename:dirname(code:which(inet_tls_dist))])' -s init stop > /tmp/ssl-path.txt
sudo mv -f /tmp/ssl-path.txt /etc/rabbitmq/rabbitmq-env.conf
  • Step 3: Add definitions for SERVER_ADDITIONAL_ERL_ARGS and RABBITMQ_CTL_ERL_ARGS
  • run the command
sudo nano /etc/rabbitmq/rabbitmq-env.conf
  • Add definitions for SERVER_ADDITIONAL_ERL_ARGS and RABBITMQ_CTL_ERL_ARGS 
# Inter-node communication settings
SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH \
  -proto_dist inet_tls \
  -ssl_dist_opt server_certfile /var/lib/rabbitmq/certs/combined_keys.pem \
  -ssl_dist_opt server_password bunnies \
  -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"

# Same settings as above but for CLI tools
RABBITMQ_CTL_ERL_ARGS="-pa $ERL_SSL_PATH \
  -proto_dist inet_tls \
  -ssl_dist_opt server_certfile /var/lib/rabbitmq/certs/combined_keys.pem \
  -ssl_dist_opt server_password bunnies \
  -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true"
  • Here is a result
Click to show the picture

picture

  • Step 4: modify rabbitmq.conf
  • run the command
sudo nano /etc/rabbitmq/rabbitmq.conf
  • add ten lines
listeners.tcp          = none
# listeners.ssl.1        = 5671
listeners.ssl.default  = 5671
ssl_options.versions   = tlsv1.3
ssl_options.cacertfile = /var/lib/rabbitmq/certs/ca_certificate.pem
ssl_options.certfile   = /var/lib/rabbitmq/certs/server_certificate.pem
ssl_options.keyfile    = /var/lib/rabbitmq/certs/server_key.pem
ssl_options.password   = bunnies
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = true
  • Here is a result
Click to show the picture

picture

  • Step 5: Restart server
    • run the command
sudo systemctl stop rabbitmq-server
sudo systemctl start rabbitmq-server
  • Step 6: Check listeners
    • run the command
sudo rabbitmq-diagnostics listeners
Click to show the picture

picture

  • Step 6: Check cluster
    • run the command
sudo rabbitmqctl cluster_status
Click to show the picture

picture

  • Step 7: openssl
    • run the commands
cd /var/lib/rabbitmq/certs
openssl s_client -connect localhost:5671 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem
Click to show the picture

picture

⚠️ **GitHub.com Fallback** ⚠️