https://www.rabbitmq.com/mqtt.html#tls
how to set TLS for MQTT connections through environment variable
To enable TLS-enabled MQTT connections, add a TLS listener for MQTT using the mqtt.listeners.ssl.* configuration keys.
ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile = /path/to/server_certificate.pem
ssl_options.keyfile = /path/to/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
# default TLS-enabled port for MQTT connections
mqtt.listeners.ssl.default = 8883
mqtt.listeners.tcp.default = 1883
The image supports these environment variables for configuring TLS/SSL
Generate certs
https://www.rabbitmq.com/ssl.html#automated-certificate-generation-transcript
$ git clone https://github.com/michaelklishin/tls-gen tls-gen
Cloning into 'tls-gen'...
remote: Enumerating objects: 369, done.
remote: Total 369 (delta 0), reused 0 (delta 0), pack-reused 369
Receiving objects: 100% (369/369), 90.46 KiB | 1.92 MiB/s, done.
Resolving deltas: 100% (215/215), done.
$ cd tls-gen/basic
$ make PASSWORD=bunnies
. . .
$ make verify
python3 profile.py verify
Will verify generated certificates against the CA...
Will verify client certificate against root CA
/tmp/rabit/tls-gen/basic/result/client_certificate.pem: OK
Will verify server certificate against root CA
/tmp/rabit/tls-gen/basic/result/server_certificate.pem: OK
$ chmod -R 777 result
Run the container
$ docker run -d --rm --name rabid -p 8080:15671 -v "$PWD"/result/:/tmp/ \
> -e RABBITMQ_MANAGEMENT_SSL_CACERTFILE=/tmp/ca_certificate.pem \
> -e RABBITMQ_MANAGEMENT_SSL_CERTFILE=/tmp/server_certificate.pem \
> -e RABBITMQ_MANAGEMENT_SSL_KEYFILE=/tmp/server_key.pem \
> rabbitmq:management
a71c7744d6ca5cb684d579b830cec84958d03feea4210df7c1d81f3421b97278
$ docker logs rabid | tail
2019-10-14 17:13:04.168 [info] <0.270.0> Running boot step cluster_name defined by app rabbit
2019-10-14 17:13:04.168 [info] <0.270.0> Running boot step direct_client defined by app rabbit
2019-10-14 17:13:04.226 [info] <0.676.0> Management plugin: HTTPS listener started on port 15671
2019-10-14 17:13:04.226 [info] <0.783.0> Statistics database started.
2019-10-14 17:13:04.226 [info] <0.782.0> Starting worker pool 'management_worker_pool' with 3 processes in it
completed with 3 plugins.
2019-10-14 17:13:04.313 [info] <0.8.0> Server startup complete; 3 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* rabbitmq_management_agent
$ docker exec rabid rabbitmqctl status | grep -ia4 listeners
Connection count: 0
Queue count: 0
Virtual host count: 1
Listeners
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)
Thank you. Thank you so much.
In your way, I cannot set mqtt SSL automatically. I must manually add it to the rabbitmq config file
Mqtt. listeners. ssl. default = 8883
Later, I use nginx to perform TLS termination of client connections and use plain TCP connections to RabbitMQ nodes.
It's simpler to use nginx.
At the same time, don't need to enable rabbitmq's SSL, so rabbitmq will be simpler.
I honestly don't see why anyone would want to use environment variables over config file values. Validation of configured values alone is a significant enough benefit. Not having to worry about what settings may or may not be propagated e.g. by this image is another. Ability for anyone distantly familiar with RabbitMQ to understand where to look for configuration keys is yet another. Environment variables suck.
Agreed, I think all the variables we support are mistakes and we should look to deprecate them for 3.9+, especially with the ini-style config that is so trivial to write, read, etc both for humans and scripts.
Most helpful comment
I honestly don't see why anyone would want to use environment variables over config file values. Validation of configured values alone is a significant enough benefit. Not having to worry about what settings may or may not be propagated e.g. by this image is another. Ability for anyone distantly familiar with RabbitMQ to understand where to look for configuration keys is yet another. Environment variables suck.