is there need to restart rabbitmq after rotating ssl certificates

[komu wairagu]

I have configured tls/ssl on rabbitmq and my question is, when I renew/rotate my ssl certifcate and ssl key do I need to restart rabbitmq for the new certificates to take effect or will rabbitmq pick the new ones automatically.

a snippet of my configuration is::

{ssl_options, [{cacertfile,           "/etc/rabbitmq/cacert.pem"},

                  {certfile,             "/etc/rabbitmq/rabbitmq_cert.pem"},

                  {keyfile,              "/etc/rabbitmq/rabbitmq_key.pem"},

                  {verify,               verify_peer},

                  {fail_if_no_peer_cert, false}]},

Now if I copied a new certificate and key into /etc/rabbitmq/ with the same names as the previous ones so that the new ones override the older ones, 

1. do I have to restart rabbitmq? 

2. And if the answer to 1 is yes, does rabbitmq has a soft reload signal I can use so that rabbitmq doesn't have to close connections to publishers and consumers?

Thanks,

Komu W.  

[Michael Klishin]

There is no config reloading but you can restart the ssl app and it will cause it read the new
certificate and key files:
https://groups.google.com/d/msg/rabbitmq-users/vrucUTvDUAA/WlqnHX2IwcsJ

it will still drop connections. 

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[komu wairagu]

Thanks Michael.

Cheers,

Komu W.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
> To post to this group, send an email to rabbitmq-users@googlegroups.com.

[Arun Kumar]

Hi, I am currently using  Rabbitmq 3.6.12 , Erlang 19.1 with self signed SSL certificates and Rabbitmq starts fine with 15671 port. When I try to use newly generated SSLCertificates, I can see that the new SSL certificates are loaded or refreshed by rabbitmq on it's own with every 30 seconds to 1 minute refresh interval (NOT SURE ABOUT THE INTERVAL). I have tested this scenario many a times with new SSL Certificates. You can also verify the same by checking the rabbitmq.log by removing the SSLCertificates folder from the system when the rabbitmq is already running (The log file contains errors that the certificates are missing and the errors stop appearing in the log file automatically when the SSLCertificates are placed at the same location again)

I would wish to understand how the SSLCertificate refresh/reload is working for me. 

Also kindly let me know how can I change this auto reload time interval configuration

The below is the link for the same question posted by me -

https://groups.google.com/forum/#!topic/rabbitmq-users/5y2SbpHdTX0

[Michael Klishin]

One question, one new  thread — this is how this list works.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

There seem to have been some changes in recent Erlang releases that introduce potential for certificate and key reloading (without dropping connections, that is)

in the `ssl` app which RabbitMQ uses.

See https://groups.google.com/d/msg/rabbitmq-users/AdkDZhmYtAA/wI_etbl_BAAJ.