# enable rabbitmq ssl port
rabbitmq::ssl: true
rabbitmq::ssl_cert: "%{::pki_public_dir}/mydomain.com.pem"
rabbitmq::ssl_cacert: /etc/pki/tls/certs/ca-bundle.crt
rabbitmq::ssl_key: "%{::pki_private_dir}/mydomain.com.key"
rabbitmq::ssl_versions: [tlsv1.2, tlsv1.1]
rabbitmq::ssl_ciphers: ['dhe_rsa,aes_256_cbc,sha256']
# don't use client ssl certificates
rabbitmq::ssl_verify: verify_none
rabbitmq::ssl_fail_if_no_peer_cert: false
Only caveat is that if your key file is 0400
, and it should be, the rabbitmq
user which RabbitMQ runs as does not
have read access to the private key. No known workaround at the time other than setting 0444
.
It may be possible to just stand up NGINX in front of RabbitMQ as a proxy and TLS termination.
Cipher lists can be obtained via:
$ sudo rabbitmqctl eval 'ssl:cipher_suites().'
$ sudo rabbitmqctl eval 'ssl:cipher_suites(openssl).'
More information is available in the RabbitMQ docs.