Rabbitmq: how to set TLS for MQTT connections through environment variable

Created on 14 Oct 2019  路  4Comments  路  Source: docker-library/rabbitmq

https://www.rabbitmq.com/mqtt.html#tls

how to set TLS for MQTT connections through environment variable

To enable TLS-enabled MQTT connections, add a TLS listener for MQTT using the mqtt.listeners.ssl.* configuration keys.

ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile   = /path/to/server_certificate.pem
ssl_options.keyfile    = /path/to/server_key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert  = true

# default TLS-enabled port for MQTT connections
mqtt.listeners.ssl.default = 8883
mqtt.listeners.tcp.default = 1883
question

Most helpful comment

I honestly don't see why anyone would want to use environment variables over config file values. Validation of configured values alone is a significant enough benefit. Not having to worry about what settings may or may not be propagated e.g. by this image is another. Ability for anyone distantly familiar with RabbitMQ to understand where to look for configuration keys is yet another. Environment variables suck.

All 4 comments

The image supports these environment variables for configuring TLS/SSL

Generate certs
https://www.rabbitmq.com/ssl.html#automated-certificate-generation-transcript

$ git clone https://github.com/michaelklishin/tls-gen tls-gen                                                                          
Cloning into 'tls-gen'...                                                                                                                                     
remote: Enumerating objects: 369, done.
remote: Total 369 (delta 0), reused 0 (delta 0), pack-reused 369
Receiving objects: 100% (369/369), 90.46 KiB | 1.92 MiB/s, done.                                                                                              
Resolving deltas: 100% (215/215), done.

$ cd tls-gen/basic

$ make PASSWORD=bunnies
. . .

$ make verify
python3 profile.py verify
Will verify generated certificates against the CA...
Will verify client certificate against root CA
/tmp/rabit/tls-gen/basic/result/client_certificate.pem: OK
Will verify server certificate against root CA
/tmp/rabit/tls-gen/basic/result/server_certificate.pem: OK

$ chmod -R 777 result

Run the container

$ docker run -d --rm --name rabid -p 8080:15671 -v "$PWD"/result/:/tmp/ \
> -e RABBITMQ_MANAGEMENT_SSL_CACERTFILE=/tmp/ca_certificate.pem \
> -e RABBITMQ_MANAGEMENT_SSL_CERTFILE=/tmp/server_certificate.pem \
> -e RABBITMQ_MANAGEMENT_SSL_KEYFILE=/tmp/server_key.pem \
> rabbitmq:management
a71c7744d6ca5cb684d579b830cec84958d03feea4210df7c1d81f3421b97278

$ docker logs rabid | tail
2019-10-14 17:13:04.168 [info] <0.270.0> Running boot step cluster_name defined by app rabbit                                                                                                 
2019-10-14 17:13:04.168 [info] <0.270.0> Running boot step direct_client defined by app rabbit                                                                                                
2019-10-14 17:13:04.226 [info] <0.676.0> Management plugin: HTTPS listener started on port 15671                                                                                              
2019-10-14 17:13:04.226 [info] <0.783.0> Statistics database started.                                                                                                                         
2019-10-14 17:13:04.226 [info] <0.782.0> Starting worker pool 'management_worker_pool' with 3 processes in it                                                                                 
 completed with 3 plugins.                                                                                                                                                                    
2019-10-14 17:13:04.313 [info] <0.8.0> Server startup complete; 3 plugins started.                                                                                                            
 * rabbitmq_management                                                                                                                                                                        
 * rabbitmq_web_dispatch                                                                                                                                                                      
 * rabbitmq_management_agent

$ docker exec rabid rabbitmqctl status | grep -ia4 listeners
Connection count: 0
Queue count: 0
Virtual host count: 1

Listeners

Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)

Thank you. Thank you so much.

In your way, I cannot set mqtt SSL automatically. I must manually add it to the rabbitmq config file
Mqtt. listeners. ssl. default = 8883

Later, I use nginx to perform TLS termination of client connections and use plain TCP connections to RabbitMQ nodes.

It's simpler to use nginx.

At the same time, don't need to enable rabbitmq's SSL, so rabbitmq will be simpler.

I honestly don't see why anyone would want to use environment variables over config file values. Validation of configured values alone is a significant enough benefit. Not having to worry about what settings may or may not be propagated e.g. by this image is another. Ability for anyone distantly familiar with RabbitMQ to understand where to look for configuration keys is yet another. Environment variables suck.

Agreed, I think all the variables we support are mistakes and we should look to deprecate them for 3.9+, especially with the ini-style config that is so trivial to write, read, etc both for humans and scripts.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

CVTJNII picture CVTJNII  路  4Comments

LanceGG picture LanceGG  路  5Comments

bloodybeet picture bloodybeet  路  3Comments

556u5ut picture 556u5ut  路  5Comments

michaelklishin picture michaelklishin  路  4Comments