[Feature Request] Use Erlang 25 feature: OS certificate store access for Management Plugin Website
66 views
Skip to first unread message
Stefan Bruhn
Jan 2, 2023, 7:13:16 AM1/2/23
to rabbitmq-users
Hello,
I am currently hosting a rabbitmq server on a windows server. which has its certificates stored in the windows certificate store, and managed through the IIS.
I regularly encounter the problem that going to the rabbitmq management plugin
http://{{MyServer}}:15672/#/queues/ redirects me to
https://{{MyServer}}:15672/#/queues/ and then fails, as my management plugin is not configured to listen to HTTPS/SSL
Reading the documentation at: https://www.rabbitmq.com/ssl.html
I only found a way to enable SSL via providing the raw certificate file to the utilities.
I would rather have a simple option to use the standard OS server certificate stored in the OS certificate store. (Like i can do with all other web-applications hosted in the IIS)
http://{{MyServer}}:15672/#/queues/ redirects me to
https://{{MyServer}}:15672/#/queues/ and then fails, as my management plugin is not configured to listen to HTTPS/SSL
Reading the documentation at: https://www.rabbitmq.com/ssl.html
I only found a way to enable SSL via providing the raw certificate file to the utilities.
I would rather have a simple option to use the standard OS server certificate stored in the OS certificate store. (Like i can do with all other web-applications hosted in the IIS)
Erlang 25 included the option:
https://www.erlang.org/blog/my-otp-25-highlights/#ca-certificates-can-be-fetched-from-the-os-standard-place
Are there plans to make use of it?
Is there maybe even a simple work-around for my specific issue (like hosting the management plugin differently as with the provided Erlang-Webserver?)
https://www.erlang.org/blog/my-otp-25-highlights/#ca-certificates-can-be-fetched-from-the-os-standard-place
Are there plans to make use of it?
Is there maybe even a simple work-around for my specific issue (like hosting the management plugin differently as with the provided Erlang-Webserver?)
Thanks and best regards,
Stefan
Luke Bakken
Jan 3, 2023, 10:56:10 AM1/3/23
to rabbitmq-users
Hi Stefan,
The certificate feature included in Erlang 25 only allows Erlang applications to fetch CA certificates from the operating system. In the case of the RabbitMQ management interface, you still have to provide a server certificate and key from a file, so there isn't really a benefit to fetching the CA cert from the windows cert store.
If your browser redirects you from the http:// to the https:// scheme, something must have set up that redirect outside of RabbitMQ. If you only had https configured for the RabbitMQ management plugin, visiting
http://{{MyServer}}:15672/#/queues would have resulted in a refused connection error.
The "best" work around in your case would be to automate the export of the RabbitMQ-specific certificates from the Windows cert store whenever they are updated. Exporting to PFX then converting to pem format would be required:
Export to PFX:
Convert:
Or, just don't use the Windows cert store for RabbitMQ specific certificates.
Thanks,
Luke
Reply all
Reply to author
Forward
0 new messages