This page has information and instructions on how to setup a rabbitMQ server using SSL. As of this writing, a test certificate authority is used over a standard one.


Most of the information for this page used rabbitMQ's tutorial located here and for trouble shooting, here

A few notes:

  • Erlang before R13B02, does not properly refuse connections if client does not provide a certificate
  • The default config file location is /etc/rabbitmq/rabbitmq.config
  • The default log file location is /var/log/rabbitmq/rabbit@$(HOST_MACHINE).log (example: /var/log/rabbitmq/rabbit@elephant70.log)

rabbitMQ config file

To setup ssl the rabbitMQ server with ssl, the config file must be edited and the server restarted. The rabbitMQ tutorial provides this as a default config file.

[ {rabbit, [ {ssl_listeners, [5671]}, {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"}, {certfile,"/path/to/server/cert.pem"}, {keyfile,"/path/to/server/key.pem"}, {verify,verify_peer}, {fail_if_no_peer_cert,false}]} ]} ].

This uses erlang syntax so punctuation is important here (note the trailing . ).

This config file will set the server called rabbit (default name) to:

  • open an ssl listener on port 5671
  • use the certificate authority certificate file at the specified location
  • use the certfile signed by the CA specified in previous line
  • use the private key specified
  • ask clients to provide SSL certificates but will allow clients to make connections without certificates
    • if client provides a badly formed certificate or one not signed by the CA the connection will be refused
    • setting fail_if_no_peer_cert to true will force certificates to provided Note: this option does not work pre Erlang R13B01

If the log file and certificates/keys are setup properly, the rabbitMQ log file will have a line for starting SSL listener on the specified port.

Command line testing configuration

Using openssl, the connection can be verified. Provided that the client cert and key are correct and signed by the CA, this command:

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem

will connect to the amqp server and allow additional input (providing anything other than an AMQP header will cause rabbitMQ to close the connection).

If a non-valid or no key is provided like this:

openssl s_client -connect localhost:5671

The connection will be refused. The following is rabbitMQ's log file when running these commands sequentially.

First connection with valid certs and keys

INFO REPORT=== 17-Sep-2013::15:16:38 = accepted TCP connection on [::]:5671 from

INFO REPORT=== 17-Sep-2013::15:16:38 = starting TCP connection <0.2463.0> from

INFO REPORT=== 17-Sep-2013::15:16:38 = upgraded TCP connection <0.2463.0> to SSL

Fails here because "Not a valid AMQP header" was sent to the server

ERROR REPORT=== 17-Sep-2013::15:16:45 = exception on TCP connection <0.2463.0> from {bad_header,<<"Not a va">>}

INFO REPORT=== 17-Sep-2013::15:16:45 = closing TCP connection <0.2463.0> from

Connection without a cert

INFO REPORT=== 17-Sep-2013::15:16:57 = accepted TCP connection on [::]:5671 from

INFO REPORT=== 17-Sep-2013::15:16:57 = starting TCP connection <0.2468.0> from

Connection terminated because the SSL was not correct

ERROR REPORT=== 17-Sep-2013::15:16:57 = SSL: certify_certificate: ./ssl_connection.erl:490:Fatal error: handshake failure

ERROR REPORT=== 17-Sep-2013::15:16:57 = error on TCP connection <0.2468.0>:{ssl_upgrade_error,esslaccept}

INFO REPORT=== 17-Sep-2013::15:16:57 = closing TCP connection <0.2468.0>

-- RobertPrior - 2013-09-17

Edit | Attach | Watch | Print version | History: r9 | r4 < r3 < r2 < r1 | Backlinks | Raw View | More topic actions...
Topic revision: r1 - 2013-09-17 - rprior
  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback