生成SSL证书
HOSTNAME="xxx"
IP_ADDR="192.168.1.2"
JKS_PASSWORD="changeme."
CA_PASSWORD="changeme."
CA_DIR="/root/certs"
TMP_DIR="/tmp/certs/rabbitmq"
ETC_DIR="/etc/rabbitmq"
SSL_DIR="${ETC_DIR}/ssl"
mkdir -p ${TMP_DIR}
mkdir -p ${SSL_DIR}
chown rabbitmq:rabbitmq ${SSL_DIR}
keytool -genkeypair -alias rootca -keyalg RSA -keysize 4096 -keystore ${CA_DIR}/ca.jks -storetype PKCS12 \
-ext "SAN:c=DNS:${HOSTNAME},IP:${IP_ADDR}" -ext bc:c \
-storepass ${CA_PASSWORD} -dname "CN=RabbitMQ,OU=MyCompany" -startdate -7d -validity 3650 -noprompt
keytool -export -alias rootca -keystore ${CA_DIR}/ca.jks -storepass ${CA_PASSWORD} -file ${CA_DIR}/ca.pem -rfc
keytool -genkeypair -alias mq -keyalg RSA -keysize 4096 -keystore ${TMP_DIR}/mq.jks -storetype PKCS12 \
-storepass ${JKS_PASSWORD} -keypass ${JKS_PASSWORD} -dname "CN=${HOSTNAME},OU=MyCompany,O=RabbitMQ" -validity 3650 -noprompt
keytool -certreq -alias mq -keystore ${TMP_DIR}/mq.jks -storepass ${JKS_PASSWORD} -file ${TMP_DIR}/mq.csr
keytool -gencert -alias rootca -keystore ${CA_DIR}/ca.jks -storepass ${CA_PASSWORD} \
-ext "SAN:c=DNS:localhost,IP:127.0.0.1,DNS:${HOSTNAME},IP:${IP_ADDR}" \
-startdate -7d -validity 3650 \
-infile ${TMP_DIR}/mq.csr -outfile ${TMP_DIR}/mq.pem -rfc
cat ${CA_DIR}/ca.pem ${TMP_DIR}/mq.pem > ${TMP_DIR}/mq.crt
keytool -import -alias mq -file ${TMP_DIR}/mq.crt -keystore ${TMP_DIR}/mq.jks -storepass ${JKS_PASSWORD} -noprompt
cp ${CA_DIR}/ca.pem $SSL_DIR/cacert.pem
openssl pkcs12 -in ${TMP_DIR}/mq.jks -nokeys -out $SSL_DIR/cert.pem -passin pass:${JKS_PASSWORD}
openssl pkcs12 -in ${TMP_DIR}/mq.jks -nodes -nocerts -out $SSL_DIR/key.pem -passin pass:${JKS_PASSWORD}
openssl rsa -in $SSL_DIR/key.pem -out $SSL_DIR/key.pem
chmod 644 $SSL_DIR/ssl/*
配置 /etc/rabbitmq/rabbitmq.conf
listeners.tcp = none
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/rabbitmq/ssl/cacert.pem
ssl_options.certfile = /etc/rabbitmq/ssl/cert.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
重启服务
systemctl restart rabbitmq-server
查看状态
rabbitmqctl status