RabbitMQ开启SSL
一、EasyRSA生成证书
通过GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility下载easyrsa,解压下载文件并进入解压后目录
tar -zxvf EasyRSA-3.1.1.tgz
mv EasyRSA-3.1.1 easyrsa
cd easyrsa
复制文件vars.example到vars,根据需要修改配置即可
set_var EASYRSA_REQ_COUNTRY "xxx" #国家
set_var EASYRSA_REQ_PROVINCE "xxx" #地区
set_var EASYRSA_REQ_CITY "xxx" #城市
set_var EASYRSA_REQ_ORG "xxx" #组织
set_var EASYRSA_REQ_EMAIL "xxx" #邮箱
set_var EASYRSA_REQ_OU "xxx" 拥有者
1、 生成证书
-
初始化环境
./easyrsa init-pki
root@ubuntuy400:/opt/docker/rabbitmq/easyrsa# ./easyrsa init-pki Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * /opt/docker/rabbitmq/easyrsa/pki * Using Easy-RSA configuration: /opt/docker/rabbitmq/easyrsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> * Using x509-types directory: /opt/docker/rabbitmq/easyrsa/x509-types -
创建CA证书,nopass不设置密码
./easyrsa build-ca nopass
#创建CA证书,nopass不设置密码 root@ubuntuy400:/opt/docker/rabbitmq/easyrsa# ./easyrsa build-ca nopass * Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) * Using Easy-RSA configuration: /opt/docker/rabbitmq/easyrsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> Using configuration from /opt/docker/rabbitmq/easyrsa/pki/936a63aa/temp.c0ade534 .+.+...+.....+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+...............+....+...............+...+++++++++++++++++++++++++++++*..+....+..+....+...........+......+..........+..+.......+......+...+...........+....+.........+..+.+........+......+.+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+............+..............+....+..+....+......+...+.....+....+..+...............+...+...+...+....+...+.+.................+...+.+........+................+......+.....+.+.....+.......+........+.......+..+...+.+.................+...+.......+..+...+....+...+......+......+.................................+..+.+.................+.+......+...............+...........+...+....+..+.+........+......+.............+...+...................................+....+...+.....+.+......+...+...+..+...+....+...............+.........+..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Chenji CA Notice ------ CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/docker/rabbitmq/easyrsa/pki/ca.crt -
创建服务器密钥对,rabbitmq为服务名称,nopass不设置密码
./easyrsa gen-req rabbitmq nopass
#创建服务器密钥对,rabbitmq为服务名称,nopass不设置密码 root@ubuntuy400:/opt/docker/rabbitmq/easyrsa# ./easyrsa gen-req rabbitmq nopass * Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) * Using Easy-RSA configuration: /opt/docker/rabbitmq/easyrsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> ..+..+...+......+.........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.+...+.........+..+.+..+...+.........+....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.+.....+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .+....+.....+.+......+.....+....+......+..+.............+...+.........+...+...+......+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..+...+...+.+...............+...+........+...+....+.....+..........+..+....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+......+.......+..+.......+......+.....+.......+..+................+.....+.............+.....+..........+...........+.+..+.+.....+..........+..+.......+..+.+.....+...+.+...+......+.....+....+..+...+...+....+...........+.......+...+.....+...+.......+...+......+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [rabbitmq]: Notice ------ Keypair and certificate request completed. Your files are: req: /opt/docker/rabbitmq/easyrsa/pki/reqs/rabbitmq.req key: /opt/docker/rabbitmq/easyrsa/pki/private/rabbitmq.key -
服务器证书签名
./easyrsa sign server rabbitmq
#服务器证书签名 root@ubuntuy400:/opt/docker/rabbitmq/easyrsa# ./easyrsa sign server rabbitmq * Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) * Using Easy-RSA configuration: /opt/docker/rabbitmq/easyrsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = rabbitmq Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/docker/rabbitmq/easyrsa/pki/ff75cb6e/temp.ab1a7ddc Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'rabbitmq' Certificate is to be certified until Nov 13 06:12:14 2032 GMT (3650 days) Write out database with 1 new entries Data Base Updated Notice ------ Certificate created at: /opt/docker/rabbitmq/easyrsa/pki/issued/rabbitmq.crt -
生成客户端密钥对,client1 为客户端名称
./easyrsa gen-req client1 nopass
#生成客户端密钥对 root@ubuntuy400:/opt/docker/rabbitmq/easyrsa# ./easyrsa gen-req client1 nopass * Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) * Using Easy-RSA configuration: /opt/docker/rabbitmq/easyrsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> .+....+...+..+...+.......+......+.................+...+....+.....+......+.+...+......+...........+.+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.............+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+......+..............+......+....+...........+.......+......+...........+....+..+.......+...........+....+...........+......+....+.....+.......+..............+.+...+..+...++++++++++++++++++++++++++++++++++++++++++++++++++++++++++....+.+.....+............+.+......+...+.....+..........+......+......+...+.................+...+......+.+...+..+.........+......+....+...........+...+.+.........+...........+............+...+...............+.......+.....+....+...........+...+..........+..+.......+...+...+..............+......+.+......+........+.+........+.+..............+.+..+.......+..+...+......+............+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client1]: Notice ------ Keypair and certificate request completed. Your files are: req: /opt/docker/rabbitmq/easyrsa/pki/reqs/client1.req key: /opt/docker/rabbitmq/easyrsa/pki/private/client1.key -
客户端签名
./easyrsa sign-req client client1
#客户端签名 root@ubuntuy400:/opt/docker/rabbitmq/easyrsa# ./easyrsa sign-req client client1 * Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) * Using Easy-RSA configuration: /opt/docker/rabbitmq/easyrsa/vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = client1 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/docker/rabbitmq/easyrsa/pki/0534ea1b/temp.c0174038 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client1' Certificate is to be certified until Nov 13 06:15:09 2032 GMT (3650 days) Write out database with 1 new entries Data Base Updated Notice ------ Certificate created at: /opt/docker/rabbitmq/easyrsa/pki/issued/client1.crt
证书生成后,将需要的文件整理到一个目录,方便后续处理
需要的文件:
CA证书
easyrsa/pki/ca.crt
easyrsa/pki/private/ca.key
服务端证书
easyrsa/pki/private/rabbitmq.key
easyrsa/pki/issued/rabbitmq.crt
客户端证书
easyrsa/pki/private/client1.key
easyrsa/pki/issued/client1.crt
2、客户端证书处理
SpringBoot客户端连接时证书需要处理才可使用
1、将客户端证书合成PKCS12格式
将client的crt文件与key文件合成一个pem文件
cat client1.crt client1.key > client1.pem
将生成的pem转为p12格式,完成后可删除上一步合成的pem文件
openssl pkcs12 -export -in client1.pem -out client1.p12
2、将服务端证书生成keystore供客户端使用
keytool -import -alias rabbitmq -file rabbitmq.crt -keystore rabbitmqStore
最后生成的文件如下
ca.crt
ca.key
client1.crt
client1.key
client1.p12
rabbitmq.crt
rabbitmq.key
rabbitmqStore
二、 RabbitMQ原生方式开启SSL(Docker镜像)
编辑rabbitmq.conf
# SSL\TLS通信的端口
listeners.ssl.default=5671
# 服务端私钥和证书文件配置
ssl_options.cacertfile=/etc/rabbitmq/ssl/ca.crt
ssl_options.certfile=/etc/rabbitmq/ssl/rabbitmq.crt
ssl_options.keyfile=/etc/rabbitmq/ssl/rabbitmq.key
# 有verify_none和verify_peer两个选项,verify_none表示完全忽略验证证书的结果,verify_peer表示要求验证对方证书
ssl_options.verify=verify_peer
# 若为true,服务端会向客户端索要证书,若客户端无证书则中止SSL握手;若为false,则客户端没有证书时依然可完成SSL握手
ssl_options.fail_if_no_peer_cert=true
编辑DockerFile
FROM rabbitmq:management
COPY --chown=rabbitmq:rabbitmq ssl/ca.crt /etc/rabbitmq/ssl/ca.crt
COPY --chown=rabbitmq:rabbitmq ssl/rabbitmq.crt /etc/rabbitmq/ssl/rabbitmq.crt
COPY --chown=rabbitmq:rabbitmq ssl/rabbitmq.key /etc/rabbitmq/ssl/rabbitmq.key
COPY --chown=rabbitmq:rabbitmq rabbitmq.conf /etc/rabbitmq/conf.d/
EXPOSE 5671
构建镜像
docker build -t rabbitmq-cj:v1 .
启动镜像
docker run -d -p 5671:5671 -p 5672:5672 -p 15672:15672 --name rabbitmq --net=host rabbitmq-cj
非Docker方式同理,配置好证书路径等即可,可参考TLS Support — RabbitMQ
三、 客户端配置
项目中导入生成的p12文件与keystore文件
项目配置rabbitmq相关信息
spring:
rabbitmq:
host: 192.168.3.3
username: test
password: 12345678
virtual-host: "/"
port: 5671
ssl:
enabled: true
key-store: "classpath:/ssl/rabbitmq/client1.p12"
#keytool生成文件时设置的密码
key-store-password: "000000"
trust-store: "classpath:/ssl/rabbitmq/rabbitmqStore"
#生成p12文件时设置的密码,未设置密码可为空
trust-store-password: "000000"
#校验证书域名,为true时连接域名应与证书相同
verify-hostname: false