To resolve this we will need to create the certificate with SANs. The steps do this may depend on your OpenSSL version. In the example below the cert was created using OpenSSL 1.1.1. These instructions should be similar to the ones documented on our wiki, however, this will go over how to create the certificate with SANs and general configuration steps.
1. We need to create an openssl.cnf file that includes the subjectAltName. Below is an example for reference.
[req]
default_bits = 4096
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
[req_attributes]
[req_distinguished_name]
countryName = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = XXX
localityName = XXX
0.organizationName = JFROG
organizationalUnitName = XXX
commonName = jfrog.com
commonName_max = 64
emailAddress = example@jfrog.com
emailAddress_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ req_ext ]
subjectAltName = DNS:testxray.vm
3. We will need to copy these certificates to the correct location. Please refer to the following documentation for this as this may depend on your installation type.
https://www.jfrog.com/confluence/display/JFROG/TLS+Certificates#TLSCertificates-SecuringRabbitMQwithTLSSupportonXray
4. We will then need to configure the Xray system.yaml to use these certificates. Below is a sample system.yaml for reference.
shared:
rabbitMq:
## Enable this to stop rabbitmq along with other services of xray
## By default rabbitmq will always be running
#autoStop: true
node:
rabbitmqConf:
- name: ssl_options.cacertfile
value: /var/opt/jfrog/xray/data/rabbitmq/certs/ca-cert.pem
- name: ssl_options.certfile
value: /var/opt/jfrog/xray/data/rabbitmq/certs/server-cert.pem
- name: ssl_options.keyfile
value: /var/opt/jfrog/xray/data/rabbitmq/certs/server-key.pem
- name: ssl_options.verify
value: verify_peer
- name: ssl_options.fail_if_no_peer_cert
value: false
- name: management.listener.ssl
value: true
- name: listeners.ssl.default
value: 5671
autoStop: true
url: amqps://guest:password@rabbitmq:5671
password: password
env:
GODEBUG: "x509ignoreCN=0"
RABBITMQ_ERLANG_COOKIE: "{{ xray_first_node }}-ERLANG-COOKIE"
RABBITMQ_NODENAME: "{{ inventory_hostname_short }}"
XRAY_CERT_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/client-cert.pem"
XRAY_CERT_KEY_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/client-key.pem"
XRAY_CA_CERT_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/ca-cert.pem"
5. We also need to make sure that the $XRAY_HOME/app/bin/rabbitmq/rabbitmq.conf is configured to use the certs. It should look similar to the following.
1. We need to create an openssl.cnf file that includes the subjectAltName. Below is an example for reference.
[req]
default_bits = 4096
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
[req_attributes]
[req_distinguished_name]
countryName = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = XXX
localityName = XXX
0.organizationName = JFROG
organizationalUnitName = XXX
commonName = jfrog.com
commonName_max = 64
emailAddress = example@jfrog.com
emailAddress_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ req_ext ]
subjectAltName = DNS:testxray.vm
2. Once the openssl.cnf has been configured you can run the commands below to generate the needed certificates. Please note the the subjectAltName is the used as an example.
openssl req -new -nodes -text -out ca.csr -keyout ca-key.pem -subj "/CN=certificate-authority" -addext "subjectAltName = DNS:testxray.vm"
openssl x509 -req -in ca.csr -text -extfile openssl.cnf -extensions v3_ca -signkey ca-key.pem -out ca-cert.pem
openssl req -new -nodes -text -out server.csr -keyout server-key.pem -subj "/CN=testxray.vm" -addext "subjectAltName = DNS:testxray.vm"
openssl x509 -req -in server.csr -text -extfile openssl.cnf -extensions v3_ca -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
openssl req -new -nodes -text -out client.csr -keyout client-key.pem -subj "/CN=testxray.vm" -addext "subjectAltName = DNS:testxray.vm"
openssl x509 -req -in client.csr -text -extfile openssl.cnf -extensions v3_ca -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem
openssl x509 -req -in ca.csr -text -extfile openssl.cnf -extensions v3_ca -signkey ca-key.pem -out ca-cert.pem
openssl req -new -nodes -text -out server.csr -keyout server-key.pem -subj "/CN=testxray.vm" -addext "subjectAltName = DNS:testxray.vm"
openssl x509 -req -in server.csr -text -extfile openssl.cnf -extensions v3_ca -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
openssl req -new -nodes -text -out client.csr -keyout client-key.pem -subj "/CN=testxray.vm" -addext "subjectAltName = DNS:testxray.vm"
openssl x509 -req -in client.csr -text -extfile openssl.cnf -extensions v3_ca -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem
3. We will need to copy these certificates to the correct location. Please refer to the following documentation for this as this may depend on your installation type.
https://www.jfrog.com/confluence/display/JFROG/TLS+Certificates#TLSCertificates-SecuringRabbitMQwithTLSSupportonXray
4. We will then need to configure the Xray system.yaml to use these certificates. Below is a sample system.yaml for reference.
shared:
rabbitMq:
## Enable this to stop rabbitmq along with other services of xray
## By default rabbitmq will always be running
#autoStop: true
node:
rabbitmqConf:
- name: ssl_options.cacertfile
value: /var/opt/jfrog/xray/data/rabbitmq/certs/ca-cert.pem
- name: ssl_options.certfile
value: /var/opt/jfrog/xray/data/rabbitmq/certs/server-cert.pem
- name: ssl_options.keyfile
value: /var/opt/jfrog/xray/data/rabbitmq/certs/server-key.pem
- name: ssl_options.verify
value: verify_peer
- name: ssl_options.fail_if_no_peer_cert
value: false
- name: management.listener.ssl
value: true
- name: listeners.ssl.default
value: 5671
autoStop: true
url: amqps://guest:password@rabbitmq:5671
password: password
env:
GODEBUG: "x509ignoreCN=0"
RABBITMQ_ERLANG_COOKIE: "{{ xray_first_node }}-ERLANG-COOKIE"
RABBITMQ_NODENAME: "{{ inventory_hostname_short }}"
XRAY_CERT_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/client-cert.pem"
XRAY_CERT_KEY_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/client-key.pem"
XRAY_CA_CERT_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/ca-cert.pem"
5. We also need to make sure that the $XRAY_HOME/app/bin/rabbitmq/rabbitmq.conf is configured to use the certs. It should look similar to the following.
listeners.tcp = none
listeners.ssl.default = {{ xray_rabbitmq_ssl_port_1 }}
listeners.ssl.other_port = {{ xray_rabbitmq_ssl_port_2 }}
loopback_users.guest = false
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = {{ xray_rabbitmq_certs_dir }}/ca-cert.pem
ssl_options.certfile = {{ xray_rabbitmq_certs_dir }}/server-cert.pem
ssl_options.keyfile = {{ xray_rabbitmq_certs_dir }}/server-key.pem
management.ssl.port = {{ xray_rabbitmq_management_ssl_port }}
management.ssl.cacertfile = {{ xray_rabbitmq_certs_dir }}/ca-cert.pem
management.ssl.certfile = {{ xray_rabbitmq_certs_dir }}/server-cert.pem
management.ssl.keyfile = {{ xray_rabbitmq_certs_dir }}/server-key.pem
management.listener.ssl = true
listeners.ssl.default = {{ xray_rabbitmq_ssl_port_1 }}
listeners.ssl.other_port = {{ xray_rabbitmq_ssl_port_2 }}
loopback_users.guest = false
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = {{ xray_rabbitmq_certs_dir }}/ca-cert.pem
ssl_options.certfile = {{ xray_rabbitmq_certs_dir }}/server-cert.pem
ssl_options.keyfile = {{ xray_rabbitmq_certs_dir }}/server-key.pem
management.ssl.port = {{ xray_rabbitmq_management_ssl_port }}
management.ssl.cacertfile = {{ xray_rabbitmq_certs_dir }}/ca-cert.pem
management.ssl.certfile = {{ xray_rabbitmq_certs_dir }}/server-cert.pem
management.ssl.keyfile = {{ xray_rabbitmq_certs_dir }}/server-key.pem
management.listener.ssl = true
6. Run REST API to enable TLS connection to RabbitMQ in Xray¶
curl -u<ADMIN:PASSWORD> -X PUT -H "Content-Type: application/json" http://<ARTIFACTORY>:8082/xray/api/v1/configuration/systemParameters -d '{"sslInsecure": false,"maxDiskDataUsage": 80,"monitorSamplingInterval": 300,"mailNoSsl": false,"messageMaxTTL": 7,"jobInterval": 86400,"allowSendingAnalytics": true,"httpsPort": 443,"enableTlsConnectionToRabbitMQ": true,"httpClientMaxConnections": 50,"httpClientMaxIdleConnections": 20}'
7. Restart Xray and check if able to connect to RabbitMQ