Skip to content

Instantly share code, notes, and snippets.

@naftulikay
Last active September 22, 2016 23:44
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save naftulikay/33a30cb66fe5f6e449ece3b493a631e0 to your computer and use it in GitHub Desktop.
Save naftulikay/33a30cb66fe5f6e449ece3b493a631e0 to your computer and use it in GitHub Desktop.

RabbitMQ TLS Config in Puppet/Hiera

# enable rabbitmq ssl port
rabbitmq::ssl: true
rabbitmq::ssl_cert: "%{::pki_public_dir}/mydomain.com.pem"
rabbitmq::ssl_cacert: /etc/pki/tls/certs/ca-bundle.crt
rabbitmq::ssl_key: "%{::pki_private_dir}/mydomain.com.key"
rabbitmq::ssl_versions: [tlsv1.2, tlsv1.1]
rabbitmq::ssl_ciphers: ['dhe_rsa,aes_256_cbc,sha256']
# don't use client ssl certificates
rabbitmq::ssl_verify: verify_none
rabbitmq::ssl_fail_if_no_peer_cert: false

Only caveat is that if your key file is 0400, and it should be, the rabbitmq user which RabbitMQ runs as does not have read access to the private key. No known workaround at the time other than setting 0444.

It may be possible to just stand up NGINX in front of RabbitMQ as a proxy and TLS termination.

Cipher lists can be obtained via:

$ sudo rabbitmqctl eval 'ssl:cipher_suites().'
$ sudo rabbitmqctl eval 'ssl:cipher_suites(openssl).'

More information is available in the RabbitMQ docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment