文章目錄
為 RabbitMQ container 啟用 TLS 連線
最近 partner 為了安全性考量,在與我們介接的 RabbitMQ 上啟用 TLS 連線,連線由 port 5672 改為 port 5671,原以為是簡單的調整,想不到 application 這邊完全陣亡,為了釐清問題,首先第一步就是還原環境,因此就來紀錄一下如何為 RabbitMQ container 啟用 TLS 連線
基本環境說明
- macOS Sonoma 14.3 (Apple M2 Pro)
- OrbStack Version 1.3.0 (16556)
- OpenSSL 3.1.3 19 Sep 2023 (Library: OpenSSL 3.1.3 19 Sep 2023)
Container Images
- rabbitmq:3.12.12-management
設定方式
建立 TLS 證書
建立 CA 私鑰
1openssl genrsa -out ca.key.pem 4096建立 CA 證書
1openssl req -x509 -new -key ca.key.pem -subj "/C=TW/ST=TAIWAN/O=yowko" -sha256 -days 365 -out ca.cert.pem建立 server 私鑰
1openssl genrsa -out server.key.pem 4096建立 CSR(Certificate Signing Request)
1openssl req -new -key server.key.pem -sha256 -out server.csr.pem使用 CA 證書和私鑰簽署 CSR 以產生 server 證書
1openssl x509 -req -in server.csr.pem -CA ca.cert.pem -CAkey ca.key.pem -sha256 -days 365 -out server.cert.pem檢驗 server 證書有效性
1openssl verify -CAfile ca.cert.pem server.cert.pem
RabbitMQ 設定
rabbitmq.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characterslisteners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.cert.pem ssl_options.certfile = /etc/rabbitmq/ssl/server.cert.pem ssl_options.keyfile = /etc/rabbitmq/ssl/server.key.pem ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = false docker-compose.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersversion: '3.8' services: rabbitmq: image: rabbitmq:3.12.12-management container_name: rabbitmq hostname: rabbitmq volumes: - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf - ./ssl:/etc/rabbitmq/ssl environment: - RABBITMQ_DEFAULT_VHOST=/ - RABBITMQ_DEFAULT_USER=admin - RABBITMQ_DEFAULT_PASS=pass.123 ports: - "5671:5671" - "5672:5672" - "15672:15672"
心得
現在回過頭看,流程並不複雜,但過程中因為我個人想要直接用指令完成所有動作,略過 prompt 的互動操作,想不到這個念頭讓我浪費不少時間,原因有下面幾個:
- CSR 加上 subject 後不會跳密碼輸入 (個人還是想要有密碼保護)
- CSR 加上 subject 驗證會 fail (這個不知道原因,結論就是不能用)
略過 CSR 直接建立 server 證書,但仍是驗證 fail
1openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
相較於 openssl,rabbitmq 設定就簡單多了,只要在 rabbitmq.conf
,需要留意的是 rabbitmq config 有新舊版本的差異,新版本在視覺上簡約許多,以下是相同設定參考比較看看:
新版本 (副檔名:
.conf
)This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characterslisteners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.cert.pem ssl_options.certfile = /etc/rabbitmq/ssl/server.cert.pem ssl_options.keyfile = /etc/rabbitmq/ssl/server.key.pem ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = false 舊版本 (副檔名:
.config
)This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters[ {rabbit, [ {ssl_listeners, [5671]}, {ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/ca.cert.pem"}, {certfile,"/etc/rabbitmq/ssl/server.cert.pem"}, {keyfile,"/etc/rabbitmq/ssl/server.key.pem"}, {verify, verify_peer}, {fail_if_no_peer_cert, true}]} ]} ].
參考資訊
文章作者 Yowko Tsai
上次更新 2024-01-30
授權合約
本部落格 (Yowko's Notes) 所有的文章內容(包含圖片),任何轉載行為,必須通知並獲本部落格作者 (Yowko Tsai) 的同意始得轉載,且轉載皆須註明出處與作者。
Yowko's Notes 由 Yowko Tsai 製作,以創用CC 姓名標示-非商業性-相同方式分享 3.0 台灣 授權條款 釋出。