Reload TLS certificate without affecting existing connections

Carl Hörberg

unread,

Jun 11, 2018, 4:00:41 PM6/11/18

to rabbitmq-users

Would it be possible to reload a TLS certificate in RabbitMQ without it affecting existing connections?

Michael Klishin

unread,

Jun 11, 2018, 6:21:27 PM6/11/18

to rabbitm...@googlegroups.com

I doubt it but I recall there was a way to force connection renegotiation for each

connection individually using `ssl:setopts/2`. No one has reported any results from that trick,

successful or otherwise.

On Mon, Jun 11, 2018 at 11:00 PM, Carl Hörberg <ca...@cloudamqp.com> wrote:

Would it be possible to reload a TLS certificate in RabbitMQ without it affecting existing connections?

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

Michael Klishin

unread,

Jun 11, 2018, 6:23:29 PM6/11/18

to rabbitm...@googlegroups.com

A relevant Cowboy discussion: https://github.com/ninenines/cowboy/issues/1233.

Again, no one has reported back to confirm, unfortunately.

On Tue, Jun 12, 2018 at 1:21 AM, Michael Klishin <mkli...@pivotal.io> wrote:

I doubt it but I recall there was a way to force connection renegotiation for each
connection individually using `ssl:setopts/2`. No one has reported any results from that trick,
successful or otherwise.

On Mon, Jun 11, 2018 at 11:00 PM, Carl Hörberg <ca...@cloudamqp.com> wrote:

Would it be possible to reload a TLS certificate in RabbitMQ without it affecting existing connections?

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Carl Hörberg

unread,

Jun 11, 2018, 6:25:10 PM6/11/18

to rabbitm...@googlegroups.com

Thanks!

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/AdkDZhmYtAA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

Michael Klishin

unread,

Aug 9, 2018, 9:38:36 AM8/9/18

to rabbitmq-users

FTR, this function's documentation suggest that in modern Erlang versions there might be

a certificate/key reloading feature as part of the internal certificate cache [1]. I say might because

we don't have much feedback other than some GitHub comments and reactions [2].

We haven't conducted any tests but this would be an interesting thing to try, document and perhaps

add a CLI command around.

Adding it here because some threads on this list are still being used and linked to years later.

1. http://erlang.org/doc/man/ssl.html#clear_pem_cache-0

2. https://github.com/ninenines/cowboy/issues/1233

Woon Yung Liu

unread,

Feb 28, 2019, 7:00:58 PM2/28/19

to rabbitmq-users

Hi,

For my project, I have been using RabbitMQ's MQTT functionality.

I have attempted to get the truststore certificates refreshed by doing the following, but none of them helped (only restarting RabbitMQ allowed the new truststore certificates to be binding):

Replacing the cacerts file.
Invoking ssl:clear_pem_cache() through rabbitmqctl eval.

Restarting the ssl app alone seemed to not work too well, as it would cause the mqtt plugin to stop serving connections, forcing me to restart the mqtt plugin as well.

But a full restart of RabbitMQ didn't seem necessary either, as restarting only the RabbitMQ app (with stop_app and start_app) did the job.

David Mohr

unread,

Aug 12, 2020, 10:42:29 PM8/12/20

to rabbitmq-users

I realise this thread is a couple of years old, but I wanted to report back my findings for future readers:

Turns out newer versions of Erlang auto-update their PEM cache, so all you need to do is put the new certificate in place and then wait for a few minutes. (Tested with RabbitMQ 3.7.22 Erlang 22.1.8)

If you need to force the use of the new certificate sooner, you can use

rabbitmqctl eval 'ssl:clear_pem_cache().'

And this will reload the certificate without disconnecting any publishers or consumers.

Reply all

Reply to author

Forward