How to enable TLS support on a Rabbitmq server hosted on Windows with a letsencrypt certificate

[Pierre-François Culand]

Hi all,

I'm not familiar with SSL stuff.

I've installed a RabbitMQ server on a Windows 2008 R2 server also hosting my web site on IIS. (Ths RabbitMQ server works well listening for client connections on port 5672 via an uncrypted channel and I want now my clients to access it via an SSL protected channel on port 5671)

I've generated and installed (in my windows certificate store) a new personnal certificate from Letsencrypt.org and succefully bound it to my IIS web server (using the letsencrypt-win-simple utility found at https://github.com/Lone-Coder/letsencrypt-win-simple/releases), my web site is now available on https://www.raptordev.ch

I read the rabbitmq documentation ( at https://www.rabbitmq.com/ssl.html) about how to activate SSL support on my RabbitrMQ server but were not abble to understand how to proceed.

I've understood I have to add something like the following configuration settings in the rabbitmq config file:

[

  {rabbit, [

     {ssl_listeners, [5671]},

     {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"},

                    {certfile,"/path/to/server/cert.pem"},

                    {keyfile,"/path/to/server/key.pem"},

                    {verify,verify_peer},

                    {fail_if_no_peer_cert,false}]}

   ]}

].

But I do not understand were I can found the required referenced cacert.pem cert.pem and key.pem on my Windows server...

All I know is that I have a new personnal certificate on my Windows store certificate, I can locate it using he mmc.exe utility (see the capture screen certificate.png in attachment)

How to find these files ? Do I have to export them from the store certificate with mmc.exe ? (but the .pem format is not generated by mmc, it proposes only .cer format...)

Many thanks for your help.

[Michael Klishin]

Let's Encrypt is a free CA with opinionated certificate management tools around it.

RabbitMQ (and any other servers that needs to use TLS) requires 3 files:

 * A CA certificate

 * A server certificate (public key) signed by the above CA certificate

 * A server private key

The Let's Encrypt tooling you use probably assumes that Windows certificate store and IIS will be used. RabbitMQ does not use Windows certificate store and uses certificates in the PEM format (which is extremely common outside of Microsoft and perhaps Java ecosystem). Certificates and keys in other formats can be converted to PEM using OpenSSL or other tools.

So your goal is to produce a certificate authority and server certificate plus a server private key all in the PEM format using Let's Encrypt tooling. RabbitMQ TLS guide

links to a few tutorials on PKI (Public Key Infrastructure) and TLS in case

none of those words mean anything to you.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

<certificate.png>

[Pierre-François Culand]

Thanks a lot Michael.

A was abble to export my personnal server certificate (delivered to www.raptoredev.ch by Let's Encrypt Authority X3) from the windows certificate store as a .pfx file using the mmc.exe utility.

Then, using a downloaded windows binary of the Open-SSL tool, I was able to convert it to a .pem file with the following command ran as an administrator:

openssl pkcs12 -in c:\RaptordevLetsencriptCertificate.pfx -out c:\RaptordevLetsencriptCertificate.pem -nodes

I suppose this file is the certifile to refer from the RabbitMQ configuration.

Now my question is about the cacertfile and the keyfile. Where can I found them ? It seems I do not find them in the Windows certificate store...

I mean I didn't found any Let's Encrypt CA certificate in my windows certificate store... neither in the Trusted root CA certificate section nor in the intermediary CA section...

Thanks again  

 

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<certificate.png>

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/MzPje5n_U7A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Pierre-François Culand]

let me add I found some Root and Intermediate certificates at https://letsencrypt.org/certificates/

they are .txt files, not .pem

Why ? can I rename these files with a .pem extension ?

And I do not know which one of all these certificates I have to use as cacertfile for the rabbitmq configuration.

Finally I did not say than my personnal raptordev certificate received from Letsencrypt has been exported from the windows certificate store as .pfx with my private key. (I had to choos a password and I gave this password to Open-SSL to convert the pfx to .pem file. So I suppose I can refer the resulting .pem file as keyfile like the certfile. Is that right ?

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<certificate.png>

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/MzPje5n_U7A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

[Michael Klishin]

PEM files are text files. I don't know why they may be distributed as .txt files,

perhaps the goal is to make them easier to inspect (.pem files will be opened

by various certificate management tools).

From the page you've found:

«Under normal circumstances, certificates issued by Let’s Encrypt will come from “Let’s Encrypt Authority X3”…»

which means the Let's Encrypt Authority X3, an intermediate certificate signed by their root and co-signed by IdenTrust, will be the CA that signs Let's Encrypt provided server certificate and key.

It's easy to verify if one certificate was signed by another using openssl's verify command.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.