RabbitMQ with a LetsEncrypt certificate
I have been trying to install my LetsEncrypt generated certificates into my rabbitmq server but have had no luck.
To test things out with out having to fight permission issues I have copied the pem files from
/etc/letsencrypt/live/<domain>/
to my home directory. I also copied the cacert.pem file to my home directory from the location I found it at:
/home/<user>/.local/share/letsencrypt/lib/python2.7/site-packages/requests/cacert.pem
I decided to start by trying to install the certificates on top of the management plugin by editing the rabbitmq.config to add
{rabbitmq_management,
[%% Pre-Load schema definitions from the following JSON file. See
%% http://www.rabbitmq.com/management.html#load-definitions
%%
%% {load_definitions, "/path/to/schema.json"},
%% Log all requests to the management HTTP API to a file.
%%
%% {http_log_dir, "/path/to/access.log"},
%% Change the port on which the HTTP listener listens,
%% specifying an interface for the web server to bind to.
%% Also set the listener to use SSL and provide SSL options.
%%
{listener, [{port, 12345},
{ip, "127.0.0.1"},
{ssl, true},
{ssl_opts, [{cacertfile, "/home/<user>/cacert.pem"}, %% File pulled from /home/<user>/.local....
{certfile, "/home/<user>/cert.pem"}, %% File pulled from /etc/letsencrypt/live/<domain>/cert.pem
{keyfile, "/home/<user>/privkey.pem"}]}]} %% File pulled from /etc/letsencrypt/live/<domain>/privkey.pem
However when attempting to navigate to the management plugin port my rabbitmq log files contained a tls_alert
=ERROR REPORT==== 14-Dec-2015::03:08:05 ===
application: mochiweb
"Accept failed error"
"{error,{tls_alert,\"decode error\"}}"
Am I using the correct files or is there perhaps a deeper issue I am running into?
UPDATE Certificate Generation Details: Lets encrypt was installed by cloning the git repository at:
git clone https://github.com/letsencrypt/letsencrypt
Certificate Creation Details. The server certificate was created and installed using the Lets Encrypt tool suite with the following command.
./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory -d <domain>
A note is that it is a sub domain certificate. E.g., xxxx.domain.com.
UPDATE 2 I have verified that the certificates are valid and working for the AMQPS portion of the problem. I have modified the main config option to contain
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/etc/rabbitmq/chain1.pem"},
{certfile, "/etc/rabbitmq/cert1.pem"},
{keyfile, "/etc/rabbitmq/privkey1.pem"},
{verify, verify_none},
{fail_if_no_peer_cert, false}]}
See attached image for screen shot of the SSL enabled Pika clients
Solution 1:
There really is an issue with RabbitMQ 3.2.4.
I did exactly the same configuration (as you did, at least the SSL part) on Ubuntu 14.04 (RabbitMQ 3.2.4 and Erlang 16.b3) and Ubuntu 15.10 or Centos 7(having RabbitMQ 3.5.4 and Erlang 18.0).
I get it working in 3.5.4 and not in 3.2.4 {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}. I can't find any bug report opened yet, but it's surely an issue linked to the management plugin as the certificates perfectly work in the more recent version.