Note
For information on troubleshooting RabbitMQ with TLS, see Troubleshoot RabbitMQ with TLS in Xray.
Generate certificates for RabbitMQ and Xray.
Note
The name "CN=rabbitmq" (which appears twice in the following code) should be a resolvable DNS, and should be used in the system.yaml file when providing the shared.rabbitMq.url (see step 6 below).
Create Certificate Authority (CA) files.
#Creates ca-key.pem and ca.csr CA files. These are self-signed. openssl req -new -nodes -text -out ca.csr -keyout ca-key.pem -subj "/CN=certificate-authority"
Sign the CA private key, ca-key.pem, and create the related CA certificate.
openssl x509 -req -in ca.csr -text -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey ca-key.pem -out ca-cert.pem
Create the RabbitMQ private key (server-key.pem) and certificate signing request file(server.csr).
openssl req -new -nodes -text -out server.csr -keyout server-key.pem -subj "/CN=rabbitmq"
Create a signed RabbitMQ public key (server-cert.pem).
openssl x509 -req -in server.csr -text -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Create Xray client key (client-key.pem) and certificate signing request file (client.csr).
openssl req -new -nodes -text -out client.csr -keyout client-key.pem -subj "/CN=rabbitmq"
Create Xray client certificate file.
openssl x509 -req -in client.csr -text -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem
Create the
certs
directories under$JFROG_HOME/xray/var/data/server
and$JFROG_HOME/xray/var/data/rabbitmq
.mkdir $JFROG_HOME/xray/var/data/server/certs mkdir $JFROG_HOME/xray/var/data/rabbitmq/certs
Copy the ca and server certificates to
$JFROG_HOME/xray/var/data/rabbitmq/certs
and$JFROG_HOME/xray/var/data/server/certs
respectively.Docker Compose
ls -ltr <mounted directory>/xray/var/data/server/certs/ total 3 -rw-r--r-- 1 xray xray 1127 Oct 11 15:55 ca-cert.pem -rw-r--r-- 1 xray xray 993 Oct 11 15:55 client-cert.pem -rw-r--r-- 1 xray xray 1704 Oct 11 15:55 client-key.pem
RPM / DEB
ls -ltr /opt/jfrog/xray/var/data/server/certs/ total 3 -rw-r--r-- 1 xray xray 1127 Oct 11 15:55 ca-cert.pem -rw-r--r-- 1 xray xray 993 Oct 11 15:55 client-cert.pem -rw-r--r-- 1 xray xray 1704 Oct 11 15:55 client-key.pem
Linux Archive
ls -ltr JFROG_HOME/xray/var/data/server/certs/ total 3 -rw-r--r-- 1 xray xray 1127 Oct 11 15:55 ca-cert.pem -rw-r--r-- 1 xray xray 993 Oct 11 15:55 client-cert.pem -rw-r--r-- 1 xray xray 1704 Oct 11 15:55 client-key.pem
cp ca-cert.pem server-cert.pem server-key.pem $JFROG_HOME/xray/var/data/rabbitmq/certs cp ca-cert.pem client-cert.pem client-key.pem $JFROG_HOME/xray/var/data/server/certs
For Self-signed Certificates Only
To ensure that the client trusts self-signed certificates (only), you will need to perform the following steps according to the OS you are using.
For Docker
You will need to mount a root ca bundle into each Xray container:
volumes: - /etc/localtime:/etc/localtime:ro - "${ROOT_DATA_DIR}/var:/var/opt/jfrog/xray" - /opt/jfrog/xray/app/third-party/rabbitmq/rabbitmq-root-ca.crt:/etc/ssl/certs/ca-certificates.crt
For Linux Archive/Native OS: Debian 8/9/10, Ubuntu 16/18/20
Copy your root certificate into
/usr/local/share/ca-certificates/
and then run theupdate-ca-certificates
command
.# cp rabbitmq-root-ca.crt /usr/local/share/ca-certificates/ # update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d...Adding debian:rabbitmq-root-ca.pem done. done.
For Linux Archive/Native OS: CentOS 6/7/8, RHEL 6/7/8
Copy your root certificate into /etc/pki/ca-trust/source/anchors/ and then run the update-ca-trust command.
# cp rabbitmq-root-ca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust
Note that on CentOS 6/RHEL 6 you will have to run an additional command
- update-ca-trust force-enable
.After you add your own root certificate into the system bundle - you can verify the certificate with the following command:
# openssl verify -verbose /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt: OK # openssl verify -verbose /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt: OK Otherwise we will get the error # openssl verify -verbose /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt: CN = rabbitmq error 20 at 0 depth lookup:unable to get local issuer certificate # openssl verify -verbose /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt: CN = rabbitmq error 20 at 0 depth lookup:unable to get local issuer certificate
Modify the certificate permissions for the RabbitMQ user.
Docker Compose
chown -R 999:999 <mounted directory>/xray/var/data/rabbitmq/certs
DEB / RPM
chown -R xray:xray /opt/jfrog/xray/var/data/rabbitmq/certs
Linux Archive
## default user and group is xray:xray chown -R <xray user>:<xray group> JFROG_HOME/xray/var/data/rabbitmq/certs
Modify the certificate permissions for the Xray user.
Docker Compose
chown -R 1035:1035 <mounted directory>/xray/var/data/server/certs
RPM / DEB
chown -R xray:xray /opt/jfrog/xray/var/data/server/certs/
Linux Archive
## default user and group is xray:xray chown -R <xray user>:<xray group> JFROG_HOME/xray/var/data/server/certs/
Modify
/opt/jfrog/xray/var/etc/system.yaml
undershared.rabbitmq
, according to your configuration. Do not overwrite existing lines in the fileshared: rabbitMq: url: amqps://localhost:5671 certCaFilePath: "/opt/jfrog/xray/var/data/server/certs/ca-cert.pem" certFilePath: "/opt/jfrog/xray/var/data/server/certs/client-cert.pem" certKeyFilePath: "/opt/jfrog/xray/var/data/server/certs/client-key.pem" autoStop: true node: rabbitmqConf: - name: ssl_options.cacertfile value: /opt/jfrog/xray/var/data/rabbitmq/certs/ca-cert.pem - name: ssl_options.certfile value: /opt/jfrog/xray/var/data/rabbitmq/certs/server-cert.pem - name: ssl_options.keyfile value: /opt/jfrog/xray/var/data/rabbitmq/certs/server-key.pem - name: ssl_options.verify value: verify_peer - name: ssl_options.fail_if_no_peer_cert value: false - name: management.listener.ssl value: true - name: listeners.ssl.default value: 5671 - name: listeners.tcp value: none
Replace
<rabbitmq-password>
with your own RabbitMQ password. If you use a different user in RabbitMQ, replace the guest user with your own user in theshared.rabbitMq.url
value.Create a JSON file with the following content to enable the TLS connection to RabbitMQ in Xray using the REST API.
{ "sslInsecure": false, "maxDiskDataUsage": 80, "monitorSamplingInterval": 300, "mailNoSsl": false, "messageMaxTTL": 7, "jobInterval": 86400, "allowSendingAnalytics": true, "httpsPort": 443, "enableTlsConnectionToRabbitMQ": true, "httpClientMaxConnections": 50, "httpClientMaxIdleConnections": 20, "jsFilesBatch": 20 }
Run the REST API call using the JSON file you created in the previous step to enable the TLS connection to RabbitMQ in Xray.
curl -u<username>:<password> -d @<your_json_file>.json -H "Content-Type: application/json" -X PUT http://<artifactory_url>/xray/api/v1/configuration/systemParameters
Replace
<username>
and<password>
with an admin user and password credentials for Artifactory, the <your_json_file>.json with the name of the JSON file you created in the previous step and the <artifactory_url> with the actual Artifactory URL address.Run the following steps to enable the TLS connection to RabbitMQ in Xray if you use Docker Compose.
Docker Compose
cd <path to extracted compose directory>/jfrog-xray-<version>-compose/
## Export the TLS port in the docker-compose-rabbitmq.yaml (docker-compose.yaml for older versions of 3.x) and add under services -> rabbitmq -> ports. - 5671:5671
# Restart RabbitMQ services docker-compose -p xray-rabbitmq -f docker-compose-rabbitmq.yaml down docker-compose -p xray-rabbitmq -f docker-compose-rabbitmq.yaml up -d
Restart Xray services.
Docker Compose
docker-compose -p xray -f docker-compose.yaml down docker-compose -p xray -f docker-compose.yaml up -d
RPM / DEB
systemctl stop xray.service systemctl start xray.service ## For Centos 6 and RHEL 6 # service xray stop # service xray start
Linux Archive
/opt/jfrog/xray/bin/xray.sh stop /opt/jfrog/xray/bin/xray.sh start
After Xray services are up and running, you can verify if RabbitMQ is accessible through
https://<xray-ipaddress-or-hostname>:15672
.