letsencrypt & rabbitmq

[Travis Griggs]

I'm new to rabbitmq. I have it installed on ubuntu 16.04. I've read the tutorials and even run them. Before I go any further, I need to make sure that I can do everything encrypted. So I'm trying to figure out the TLS stuff, but I'm pretty green in this area. I've read through the "https://www.rabbitmq.com/ssl.html" doc, but a lot of that seems to be dedicated to using self signed certs, and I just want to use the letsencrypt one that I already set up on this machine and used with my tornado server. Somewhere reading through all of that, I lost confidence that I was really getting it. :)

I'm hoping someone can kindly point me in the right direction/example of what to put where (I found /etc/rabbitmq/rabbitmq-env.conf, but it seems mostly empty, and I'm not confident that's the correct config file I'm supposed to be tuning).

Can/should one support *only* ssl connections?

Will pika or the iOS client need anything special to be able to use the SSL path?

TIA

[Michael Klishin]

If you want to use an existing certificate, then simply skip all the parts that set up a CA and generate a self-signed CA/certificates/keys.

You can disable non-TLS listeners, see http://www.rabbitmq.com/networking.html.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Travis Griggs]

> On Oct 17, 2016, at 10:19 AM, Michael Klishin <mkli...@pivotal.io> wrote:
>
> If you want to use an existing certificate, then simply skip all the parts that set up a CA and generate a self-signed CA/certificates/keys.
>
> You can disable non-TLS listeners, see http://www.rabbitmq.com/networking.html.

Not having luck yet. I tried to drop the example and tweaked the paths in /etc/rabbitmq/rabbitmq-env.conf

:/etc/rabbitmq$ cat rabbitmq-env.conf
# Defaults to rabbit. This can be useful if you want to run more than one node
# per machine - RABBITMQ_NODENAME should be unique per erlang-node-and-machine
# combination. See the clustering on a single machine guide for details:
# http://www.rabbitmq.com/clustering.html#single-machine
#NODENAME=rabbit

# By default RabbitMQ will bind to all interfaces, on IPv4 and IPv6 if
# available. Set this if you only want to bind to one network interface or#
# address family.
#NODE_IP_ADDRESS=127.0.0.1

# Defaults to 5672.
#NODE_PORT=5672

[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/letsencrypt/live/xxx.yyy.com/fullchain.pem"},
{certfile,"/etc/letsencrypt/live/xxx.yyy.com/cert.pem"},
{keyfile,"/etc/letsencrypt/live/xxx.yyy.com/privkey.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].

But that seems to be a bad file syntax?

:/etc/rabbitmq$ sudo systemctl restart rabbitmq-server
Job for rabbitmq-server.service failed because the control process exited with error code. See "systemctl status rabbitmq-server.service" and "journalctl -xe" for details.

:/etc/rabbitmq$ sudo journalctl -flu rabbitmq-server
-- Logs begin at Sun 2016-10-16 12:55:49 CDT. --
Oct 17 13:30:38 server5 systemd[1]: Starting RabbitMQ Messaging Server...
Oct 17 13:30:38 server5 rabbitmq[30184]: /usr/lib/rabbitmq/bin/rabbitmq-server-wait: 15: [: missing ]
Oct 17 13:30:38 server5 systemd[1]: rabbitmq-server.service: Control process exited, code=exited status=2
Oct 17 13:30:38 server5 systemd[1]: Failed to start RabbitMQ Messaging Server.
Oct 17 13:30:38 server5 systemd[1]: rabbitmq-server.service: Unit entered failed state.
Oct 17 13:30:38 server5 systemd[1]: rabbitmq-server.service: Failed with result 'exit-code’.

I’m running the stock version of rabbitmq (3.5.7) on Ubuntu 16.04. Could there be a version/documentation mismatch?

[Michael Klishin]

rabbitmq-env.conf is for environment variables and is loaded as a shell script.

See http://www.rabbitmq.com/configure.html.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send an email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Travis Griggs]

> On Oct 17, 2016, at 12:09 PM, Michael Klishin <mkli...@pivotal.io> wrote:
>
> rabbitmq-env.conf is for environment variables and is loaded as a shell script.
>
> See http://www.rabbitmq.com/configure.html.

<lightbulb finally>

I thought it was odd that the commented out lines in rabbitmq-env.conf looked shell scriptish, and I was pasting stuff in there that looked not so much. I think because it looked like a debian/ubuntu provided “fill this out” template, but there is no similar “fill this out” version for just rabbitmg.config, I just stupidly assumed that was the one.

It seems to be working now.

Thanks for your patience helping me.

I’m sure I’ll be back with more questions.