RabbitMQ with a LetsEncrypt certificate

Question

I have been trying to install my LetsEncrypt generated certificates into my rabbitmq server but have had no luck.

To test things out with out having to fight permission issues I have copied the pem files from

/etc/letsencrypt/live/<domain>/

to my home directory. I also copied the cacert.pem file to my home directory from the location I found it at:

/home/<user>/.local/share/letsencrypt/lib/python2.7/site-packages/requests/cacert.pem

I decided to start by trying to install the certificates on top of the management plugin by editing the rabbitmq.config to add

{rabbitmq_management,
  [%% Pre-Load schema definitions from the following JSON file. See
   %% http://www.rabbitmq.com/management.html#load-definitions
   %%
   %% {load_definitions, "/path/to/schema.json"},
   %% Log all requests to the management HTTP API to a file.
   %%
   %% {http_log_dir, "/path/to/access.log"},
   %% Change the port on which the HTTP listener listens,
   %% specifying an interface for the web server to bind to.
   %% Also set the listener to use SSL and provide SSL options.
   %%
    {listener, [{port,     12345},
                {ip,       "127.0.0.1"},
                {ssl,      true},
                {ssl_opts, [{cacertfile, "/home/<user>/cacert.pem"},  %% File pulled from /home/<user>/.local....
                            {certfile,   "/home/<user>/cert.pem"}, %% File pulled from /etc/letsencrypt/live/<domain>/cert.pem
                            {keyfile,    "/home/<user>/privkey.pem"}]}]}  %% File pulled from /etc/letsencrypt/live/<domain>/privkey.pem

However when attempting to navigate to the management plugin port my rabbitmq log files contained a tls_alert

=ERROR REPORT==== 14-Dec-2015::03:08:05 ===
    application: mochiweb
    "Accept failed error"
    "{error,{tls_alert,\"decode error\"}}"

Am I using the correct files or is there perhaps a deeper issue I am running into?

UPDATE Certificate Generation Details: Lets encrypt was installed by cloning the git repository at:

git clone https://github.com/letsencrypt/letsencrypt

Certificate Creation Details. The server certificate was created and installed using the Lets Encrypt tool suite with the following command.

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory -d <domain>

A note is that it is a sub domain certificate. E.g., xxxx.domain.com.

UPDATE 2 I have verified that the certificates are valid and working for the AMQPS portion of the problem. I have modified the main config option to contain

   {ssl_listeners, [5671]},

   {ssl_options, [{cacertfile,           "/etc/rabbitmq/chain1.pem"},
                   {certfile,             "/etc/rabbitmq/cert1.pem"},
                   {keyfile,              "/etc/rabbitmq/privkey1.pem"},
                   {verify,               verify_none},
                   {fail_if_no_peer_cert, false}]}

See attached image for screen shot of the SSL enabled Pika clients

Can you provide the way you generated the certificate files please ? Just in case. Did you try setting up this cert in a webserver for example, just for test purpose. — Pierre-Alain TORET, Dec 14 '15 at 09:24
@pat I have updated the original question to include the details on how the certificates and keys were all generated. To address your second question, yes. The server running the RabbitMQ instance also runs a web server that I have verified the validity of the certificate. — Brian Cain, Dec 14 '15 at 15:49
Thank you, I will try later with my letsencrypt certs. I'll get back to you. — Pierre-Alain TORET, Dec 15 '15 at 13:13
Have you tried testing the certs using the openssl tools? the rabbitmq docs contain very good resources on how to do this: https://www.rabbitmq.com/troubleshooting-ssl.html — Andrew, Dec 18 '15 at 08:33
I have not. I will try to verify that tonight and get back to you with the results. — Brian Cain, Dec 19 '15 at 17:41
@Andrew I have switched from the management plugin to trying the certificates with the AMQPS clients. The certificates, and keys appear to work for AMQPS. This leads me to believe it is a problem with the RabbitMQ Management browser. I will update the original question to reflect the updated information. — Brian Cain, Dec 20 '15 at 21:19
Hello Brian, I did try with mine and it's working, so I guess we'll have to start by comparing the versions of rabbitmq. I've installed mine from EPEL on CentOS 7 in version 3.3.5. In the config file I have the ssl options in the rabbit part (beginning of the file with verify_peer and fail_if_no_peer_cert set to false). Then in the rabbitmq_management, i only have a listener with port, ip and ssl to true, no ssl_opts as it uses the ones defined upper in the file. — Pierre-Alain TORET, Dec 21 '15 at 16:19
@pat I am running RabbitMQ 3.2.4, Erlang R16B03, as reported by the management plugin, so there is a difference. This one seems likely as I have the certificates working for AMQPS. Other research I've done says that it may be an problem with Ubuntu and Erlang, what version of Erlang are you running? I am fairly sure I have tried setting my configuration similar to yours while debugging (using the inherited ssl_opts), but will test to verify and report back. — Brian Cain, Dec 21 '15 at 16:38
I'll try my certs on ubuntu. Which release do you use ? I'll tell you later for erlang i don't have the server access now — Pierre-Alain TORET, Dec 21 '15 at 18:03
Okay there really is an issue with RabbitMQ 3.2.4. I did exactly the same on Ubuntu 14.04(having RMQ in 3.2.4 and Erlang 16.b3) and 15.10 (having RMQ in 3.5.4 and Erlang in version 18.0). I get it working in 3.5.4 and not in 3.2.4 `{mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}`. Do you have the ability to try on another Ubuntu version ? — Pierre-Alain TORET, Dec 21 '15 at 19:49
To verify I am running Ubuntu 14.04, @:~$ cat /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS" I will have to build a Ubuntu 15.10 VM to test on, I do not have one handy at this time. I should be able to get to that tomorrow. — Brian Cain, Dec 21 '15 at 20:07
@pat I have verified the process works for me using Ubuntu 15.04 and RabbitMQ 3.5.4, Erlang 17.3. I was able to successfully install the certificates and have my browser verify the domain. It does appear to be a bug with either the version of Ubuntu or the version of RabbitMQ being used. Is it possible to have you write that up as an answer so that I can mark this question closed and award you the bounty. — Brian Cain, Dec 22 '15 at 19:03
In case anyone wants to use the certs right from the `/etc/letsencrypt/` folder (without having to copy them and also leaving them setup for easy renewals), all you need to do is give the rabbitmq group access to the folder where the certs are stored. In my case, the server is single purpose, so I just gave permissions to the entire folder with the following commands: `sudo setfacl -dR -m g:rabbitmq:rwX /etc/letsencrypt` and `sudo setfacl -R -m g:rabbitmq:rwX /etc/letsencrypt`. — EricWasTaken, Oct 12 '17 at 02:56

score 4 · Accepted Answer · answered Dec 22 '15 at 21:31

There really is an issue with RabbitMQ 3.2.4.

I did exactly the same configuration (as you did, at least the SSL part) on Ubuntu 14.04 (RabbitMQ 3.2.4 and Erlang 16.b3) and Ubuntu 15.10 or Centos 7(having RabbitMQ 3.5.4 and Erlang 18.0).

I get it working in 3.5.4 and not in 3.2.4 {mochiweb_socket_server,295,{acceptor_error,{error,accept_failed}}}. I can't find any bug report opened yet, but it's surely an issue linked to the management plugin as the certificates perfectly work in the more recent version.

RabbitMQ with a LetsEncrypt certificate

1 Answers1