XRAY: How to create RabbitMQ certs with SANS

Lawrence Fung
2022-06-14 13:29

This article was contributed by a strong member of our community:
 
Bradley Herrin, IBM
bcherrin.wolfpack@gmail.com
GitHub: bradleycherrin

When trying to connect RabbitMQ via TLS, you may run into the following error if you do not have SANs enabled in the certificate.2022-03-15T23:10:21.393Z [jfxr ] [ERROR] [35739315012a120d] [mq_connector:270              ] [main                ] Error connecting to rabbit message queue check mq settings. Error: x509: certificate relies on legacy Common Name field, use SANs instead
 

How to create the certificate with SANS

To resolve this we will need to create the certificate with SANs. The steps do this may depend on your OpenSSL version. In the example below the cert was created using OpenSSL 1.1.1. These instructions should be similar to the ones documented on our wiki, however, this will go over how to create the certificate with SANs and general configuration steps.

1. We need to create an openssl.cnf file that includes the subjectAltName. Below is an example for reference.
[req]
default_bits = 4096
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
[req_attributes]
[req_distinguished_name]
countryName = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = XXX
localityName = XXX
0.organizationName = JFROG
organizationalUnitName = XXX
commonName = jfrog.com
commonName_max = 64
emailAddress = example@jfrog.com
emailAddress_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ req_ext ]
subjectAltName = DNS:testxray.vm
 
2. Once the openssl.cnf has been configured you can run the commands below to generate the needed certificates. Please note the the subjectAltName is the used as an example.
 
openssl req -new -nodes -text -out ca.csr -keyout ca-key.pem -subj "/CN=certificate-authority" -addext "subjectAltName = DNS:testxray.vm"

openssl x509 -req -in ca.csr -text -extfile openssl.cnf -extensions v3_ca -signkey ca-key.pem -out ca-cert.pem

openssl req -new -nodes -text -out server.csr -keyout server-key.pem -subj "/CN=testxray.vm" -addext "subjectAltName = DNS:testxray.vm"

openssl x509 -req -in server.csr -text -extfile openssl.cnf -extensions v3_ca -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem

openssl req -new -nodes -text -out client.csr -keyout client-key.pem -subj "/CN=testxray.vm" -addext "subjectAltName = DNS:testxray.vm"

openssl x509 -req -in client.csr -text -extfile openssl.cnf -extensions v3_ca -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem

3. We will need to copy these certificates to the correct location. Please refer to the following documentation for this as this may depend on your installation type.

https://www.jfrog.com/confluence/display/JFROG/TLS+Certificates#TLSCertificates-SecuringRabbitMQwithTLSSupportonXray

4. We will then need to configure the Xray system.yaml to use these certificates. Below is a sample system.yaml for reference.

shared:
 rabbitMq:
   ## Enable this to stop rabbitmq along with other services of xray
   ## By default rabbitmq will always be running
   #autoStop: true
   node:
     rabbitmqConf:
     - name: ssl_options.cacertfile
       value: /var/opt/jfrog/xray/data/rabbitmq/certs/ca-cert.pem
     - name: ssl_options.certfile
       value: /var/opt/jfrog/xray/data/rabbitmq/certs/server-cert.pem
          - name: ssl_options.keyfile
             value: /var/opt/jfrog/xray/data/rabbitmq/certs/server-key.pem
           - name: ssl_options.verify
             value: verify_peer
           - name: ssl_options.fail_if_no_peer_cert
             value: false
           - name: management.listener.ssl
             value: true
           - name: listeners.ssl.default
             value: 5671
       autoStop: true
   url: amqps://guest:password@rabbitmq:5671
   password: password
   env:
     GODEBUG: "x509ignoreCN=0"
     RABBITMQ_ERLANG_COOKIE: "{{ xray_first_node }}-ERLANG-COOKIE"
     RABBITMQ_NODENAME: "{{ inventory_hostname_short }}"
     XRAY_CERT_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/client-cert.pem"
     XRAY_CERT_KEY_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/client-key.pem"
     XRAY_CA_CERT_FILE_PATH: "/opt/jfrog/xray/var/data/server/certs/ca-cert.pem"

5. We also need to make sure that the $XRAY_HOME/app/bin/rabbitmq/rabbitmq.conf is configured to use the certs. It should look similar to the following.
 

listeners.tcp = none
listeners.ssl.default = {{ xray_rabbitmq_ssl_port_1 }}
listeners.ssl.other_port = {{ xray_rabbitmq_ssl_port_2 }}
loopback_users.guest = false
ssl_options.verify               = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile           = {{ xray_rabbitmq_certs_dir }}/ca-cert.pem
ssl_options.certfile             = {{ xray_rabbitmq_certs_dir }}/server-cert.pem
ssl_options.keyfile              = {{ xray_rabbitmq_certs_dir }}/server-key.pem
management.ssl.port       = {{ xray_rabbitmq_management_ssl_port }}
management.ssl.cacertfile = {{ xray_rabbitmq_certs_dir }}/ca-cert.pem
management.ssl.certfile   = {{ xray_rabbitmq_certs_dir }}/server-cert.pem
management.ssl.keyfile    = {{ xray_rabbitmq_certs_dir }}/server-key.pem
management.listener.ssl        = true

 

6. Run REST API to enable TLS connection to RabbitMQ in Xray¶
 
curl -u<ADMIN:PASSWORD> -X PUT -H "Content-Type: application/json" http://<ARTIFACTORY>:8082/xray/api/v1/configuration/systemParameters -d '{"sslInsecure": false,"maxDiskDataUsage": 80,"monitorSamplingInterval": 300,"mailNoSsl": false,"messageMaxTTL": 7,"jobInterval": 86400,"allowSendingAnalytics": true,"httpsPort": 443,"enableTlsConnectionToRabbitMQ": true,"httpClientMaxConnections": 50,"httpClientMaxIdleConnections": 20}'

 

7. Restart Xray and check if able to connect to RabbitMQ