Refreshing / Reloading SSL certificates
210 views
Skip to first unread message
Arun Kumar
Aug 9, 2018, 5:44:18 AM8/9/18
to rabbitmq-users
Hi, I am currently using Rabbitmq 3.6.12 , Erlang 19.1 with self signed SSL certificates and Rabbitmq starts fine with 15671 port. When I try to use newly generated SSLCertificates, I can see that the new SSL certificates are loaded or refreshed by rabbitmq on it's own with every 30 seconds to 1 minute refresh interval (NOT SURE ABOUT THE INTERVAL). I have tested this scenario many a times with new SSL Certificates. You can also verify the same by checking the rabbitmq.log by removing the SSLCertificates folder from the system when the rabbitmq is already running (The log file contains errors that the certificates are missing and the errors stop appearing in the log file automatically when the SSLCertificates are placed at the same location again)
But couple of links on the same as below , you have suggested the automatic reload/refresh of SSLCertificates is not possible.
I would wish to understand how the SSLCertificate refresh/reload is working for me.
Also kindly let me know how can I change this auto reload time interval configuration
Michael Klishin
Aug 9, 2018, 9:24:42 AM8/9/18
to rabbitm...@googlegroups.com
RabbitMQ does not reload certificates. If anything does, it is the underlying TLS implementation. We are now aware of a trick
to make it reload the key/certificate pair and invalidate some of its caches [1][2] but it is not something that it does periodically.
The "remove files from underneath a node" scenario has uncovered a bunch of interesting (but extremely rare to actually hit) bugs
in Erlang's ssl module. They were reported and will land in OTP 21.1 as far as we know.
Our team does not consider the following scenarios realistic and worth spending time on beyond reasonable error reporting:
* Certificate or key is not valid
* Certificate or key is removed from the file system after the node is running
and "Certificate or key does not exist or is not readable" should be covered by configuration file validation in 3.7.0.
What are you trying to achieve?
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Arun Kumar
Aug 13, 2018, 3:49:22 AM8/13/18
to rabbitmq-users
Thank you MK for getting back on this.
What I am trying to achieve is this -
Initially my rabbitmq is started with Self signed certificates (Call it SSLCerts-1) and the SHOVELS are created between my system and rabbitmq broker on another system which also contains SSLCerts-1. Later I generate new SSLCertificates (Call it SSLCerts-2) and want to replace the old SSLCerts-1 with newly generated SSLCerts-2 without stopping the rabbitmq ONLY on my system keeping SSLCerts-1 on the other system. After I replace my system with new SSLCerts-2, rabbtimq on my system picked up these certificates and the SHOVELS WERE TERMINATED with "unknown CA" error (Since now my system and the other systems are using different certificates). This is the expected scenario and the certificates on my system was reloaded by rabbitmq on the runtime.
The above scenario is what I need and it is working fine.
You say dynamic reloading of SSLCerts is not possible [1] [2]. Hence I posted the question why and how dynamic reloading of SSL certs worked for me without rabbitmq restart.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Aug 13, 2018, 6:46:58 AM8/13/18
to rabbitm...@googlegroups.com
I said that RabbitMQ does not reload certificates (or implement TLS, PKI or anything in between).
To our knowledge Erlang's ssl app didn't reload certificates up until recently. Maybe now it does (it would be a nice
feature for some users) but we haven't found much information about this in the docs of any recent release, leave alone 19.1 (which, by the way,
you should avoid like a plague [1]).
We since have found a couple of threads that achieve this with a trick (they clear ssl app's PEM certificate cache). Maybe event that's no longer
necessary, we'd have to check.
Again, it's hard to argue "things work well for me", so if it really does work the way you expect, go for it ;)
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages