Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

RabbitMQ TLS Config in Puppet/Hiera

# enable rabbitmq ssl port
rabbitmq::ssl: true
rabbitmq::ssl_cert: "%{::pki_public_dir}/"
rabbitmq::ssl_cacert: /etc/pki/tls/certs/ca-bundle.crt
rabbitmq::ssl_key: "%{::pki_private_dir}/"
rabbitmq::ssl_versions: [tlsv1.2, tlsv1.1]
rabbitmq::ssl_ciphers: ['dhe_rsa,aes_256_cbc,sha256']
# don't use client ssl certificates
rabbitmq::ssl_verify: verify_none
rabbitmq::ssl_fail_if_no_peer_cert: false

Only caveat is that if your key file is 0400, and it should be, the rabbitmq user which RabbitMQ runs as does not have read access to the private key. No known workaround at the time other than setting 0444.

It may be possible to just stand up NGINX in front of RabbitMQ as a proxy and TLS termination.

Cipher lists can be obtained via:

$ sudo rabbitmqctl eval 'ssl:cipher_suites().'
$ sudo rabbitmqctl eval 'ssl:cipher_suites(openssl).'

More information is available in the RabbitMQ docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.