I have been trying to install my LetsEncrypt generated certificates into my rabbitmq server but have had no luck.
To test things out with out having to fight permission issues I have copied the pem files from
/etc/letsencrypt/live/<domain>/
to my home directory. I also copied the cacert.pem file to my home directory from the location I found it at:
/home/<user>/.local/share/letsencrypt/lib/python2.7/site-packages/requests/cacert.pem
I decided to start by trying to install the certificates on top of the management plugin by editing the rabbitmq.config to add
{rabbitmq_management,
[%% Pre-Load schema definitions from the following JSON file. See
%% http://www.rabbitmq.com/management.html#load-definitions
%%
%% {load_definitions, "/path/to/schema.json"},
%% Log all requests to the management HTTP API to a file.
%%
%% {http_log_dir, "/path/to/access.log"},
%% Change the port on which the HTTP listener listens,
%% specifying an interface for the web server to bind to.
%% Also set the listener to use SSL and provide SSL options.
%%
{listener, [{port, 12345},
{ip, "127.0.0.1"},
{ssl, true},
{ssl_opts, [{cacertfile, "/home/<user>/cacert.pem"}, %% File pulled from /home/<user>/.local....
{certfile, "/home/<user>/cert.pem"}, %% File pulled from /etc/letsencrypt/live/<domain>/cert.pem
{keyfile, "/home/<user>/privkey.pem"}]}]} %% File pulled from /etc/letsencrypt/live/<domain>/privkey.pem
However when attempting to navigate to the management plugin port my rabbitmq log files contained a tls_alert
=ERROR REPORT==== 14-Dec-2015::03:08:05 ===
application: mochiweb
"Accept failed error"
"{error,{tls_alert,\"decode error\"}}"
Am I using the correct files or is there perhaps a deeper issue I am running into?
UPDATE Certificate Generation Details: Lets encrypt was installed by cloning the git repository at:
git clone https://github.com/letsencrypt/letsencrypt
Certificate Creation Details. The server certificate was created and installed using the Lets Encrypt tool suite with the following command.
./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory -d <domain>
A note is that it is a sub domain certificate. E.g., xxxx.domain.com.
UPDATE 2 I have verified that the certificates are valid and working for the AMQPS portion of the problem. I have modified the main config option to contain
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/etc/rabbitmq/chain1.pem"},
{certfile, "/etc/rabbitmq/cert1.pem"},
{keyfile, "/etc/rabbitmq/privkey1.pem"},
{verify, verify_none},
{fail_if_no_peer_cert, false}]}
See attached image for screen shot of the SSL enabled Pika clients