RabbitMQ配置SSL

生成SSL证书

HOSTNAME="xxx"
IP_ADDR="192.168.1.2"
JKS_PASSWORD="changeme."
CA_PASSWORD="changeme."

CA_DIR="/root/certs"
TMP_DIR="/tmp/certs/rabbitmq"
ETC_DIR="/etc/rabbitmq"
SSL_DIR="${ETC_DIR}/ssl"

mkdir -p ${TMP_DIR}
mkdir -p ${SSL_DIR}

chown rabbitmq:rabbitmq ${SSL_DIR}

keytool -genkeypair -alias rootca -keyalg RSA -keysize 4096 -keystore ${CA_DIR}/ca.jks -storetype PKCS12 \
    -ext "SAN:c=DNS:${HOSTNAME},IP:${IP_ADDR}" -ext bc:c \
    -storepass ${CA_PASSWORD} -dname "CN=RabbitMQ,OU=MyCompany" -startdate -7d -validity 3650 -noprompt

keytool -export -alias rootca -keystore ${CA_DIR}/ca.jks -storepass ${CA_PASSWORD} -file ${CA_DIR}/ca.pem -rfc

keytool -genkeypair -alias mq -keyalg RSA -keysize 4096 -keystore ${TMP_DIR}/mq.jks -storetype PKCS12 \
   -storepass ${JKS_PASSWORD} -keypass ${JKS_PASSWORD} -dname "CN=${HOSTNAME},OU=MyCompany,O=RabbitMQ"  -validity 3650 -noprompt

keytool -certreq -alias mq -keystore ${TMP_DIR}/mq.jks -storepass ${JKS_PASSWORD} -file ${TMP_DIR}/mq.csr

keytool -gencert -alias rootca -keystore ${CA_DIR}/ca.jks -storepass ${CA_PASSWORD} \
   -ext "SAN:c=DNS:localhost,IP:127.0.0.1,DNS:${HOSTNAME},IP:${IP_ADDR}" \
   -startdate -7d -validity 3650 \
   -infile ${TMP_DIR}/mq.csr -outfile ${TMP_DIR}/mq.pem -rfc

cat ${CA_DIR}/ca.pem ${TMP_DIR}/mq.pem > ${TMP_DIR}/mq.crt

keytool -import -alias mq -file ${TMP_DIR}/mq.crt -keystore ${TMP_DIR}/mq.jks -storepass ${JKS_PASSWORD} -noprompt

cp ${CA_DIR}/ca.pem $SSL_DIR/cacert.pem

openssl pkcs12 -in ${TMP_DIR}/mq.jks -nokeys -out $SSL_DIR/cert.pem -passin pass:${JKS_PASSWORD}

openssl pkcs12 -in ${TMP_DIR}/mq.jks -nodes -nocerts -out $SSL_DIR/key.pem -passin pass:${JKS_PASSWORD}

openssl rsa -in $SSL_DIR/key.pem -out $SSL_DIR/key.pem

chmod 644 $SSL_DIR/ssl/*

配置 /etc/rabbitmq/rabbitmq.conf

listeners.tcp = none

listeners.ssl.default = 5671

ssl_options.cacertfile = /etc/rabbitmq/ssl/cacert.pem
ssl_options.certfile   = /etc/rabbitmq/ssl/cert.pem
ssl_options.keyfile    = /etc/rabbitmq/ssl/key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false

重启服务

systemctl restart rabbitmq-server

查看状态

rabbitmqctl status