RabbitMQ management ui ssl keyfile invalid

5
votes

Hi I am using Let's Encrypt to generate SSL certificate for my Dockerized RabbitMQ deployed in Azure VM. After generating the certificates with certbot, I got cert.pem, chain.pem, fullchain.pem and privkey.pem in a folder called certs.

After that, I write a Dockerfile Dockerfile to build docker image based on existing RabbitMQ docker images as follow

FROM rabbitmq:3.8-management-alpine
RUN rabbitmq-plugins enable rabbitmq_web_stomp
COPY rabbitmq.conf /etc/rabbitmq/rabbitmq.conf
VOLUME ["/home/rabbitmq/certs"]

In addition, my rabbitmq.conf is

loopback_users.guest = false
listeners.tcp.default = 5672
default_pass = rabbitmq_admin
default_user = rabbitmq_admin
management.tcp.port = 15672
management.ssl.port       = 15671
management.ssl.cacertfile = /home/rabbitmq/certs/chain.pem
management.ssl.certfile   = /home/rabbitmq/certs/cert.pem
management.ssl.keyfile    = /home/rabbitmq/certs/privkey.pem

Then I build the rabbitmq docker images with

docker build -t rabbitmq:3.8-ssl .

To run the image, I use a docker compose file as 

version: '3'
services:
  rabbitmq:
    image: rabbitmq:3.8-ssl
    container_name: rabbitmq
    volumes:
       - ./certs:/home/rabbitmq/certs
    deploy:
      resources:
        limits:
          cpus: '0.30'
          memory: 300M
    ports:
      - 4369:4369
      - 5671:5671
      - 5672:5672
      - 15671:15671
      - 15672:15672
      - 15673:15673
      - 15674:15674
      - 25672:25672
    hostname: rabbitmq
    environment:
      - RABBITMQ_DEFAULT_USER=rabbitmq_admin
      - RABBITMQ_DEFAULT_PASS=rabbitmq_admin

However, when I run

docker-compose up

I got

Recreating rabbitmq ... done
Attaching to rabbitmq
rabbitmq      |
rabbitmq      | BOOT FAILED
rabbitmq      | ===========
rabbitmq      |
rabbitmq      | Config file generation failed:
rabbitmq      | 23:02:13.719 [error] management.ssl.keyfile invalid, file doesn/t exist or isn't     readable
rabbitmq      | 23:02:13.728 [error] Error generating configuration in phase validation
rabbitmq      | 23:02:13.728 [error] management.ssl.keyfile invalid, file doesn/t exist or isn't     readable
rabbitmq      | In case the setting comes from a plugin, make sure that the plugin is enabled.
rabbitmq      | Alternatively remove the setting from the config.
rabbitmq      |
rabbitmq      | {"init terminating in do_boot",generate_config_file}
rabbitmq      | init terminating in do_boot (generate_config_file)
rabbitmq      |
rabbitmq      | Crash dump is being written to: /var/log/rabbitmq/erl_crash.dump...done
rabbitmq exited with code 0

In case the certificate has some issue, I deployed a nginx web server with the same certificate (cert.pem and privkey.pem, seems like nginx does not need the chain.pem) and it runs all good. I can see from chrome that the certificate is valid.

Can anyone please help to see what could be wrong?

Thank you

1
sslrabbitmqlets-encrypt
Is your private key password protected... - Soumen Mukherjee
No, it's generated by Let's encrypt so there is no password used. When the same privkey.pem is used by the web server (nginx), there is no password specified and it works fine. - Ben
i am also facing this.. any help? - chiranjeevigk

1 Answers

0
votes

I encountered this issue today. The end result was just what the error says, rabbitmq could not view the certificate due to permissions. You can test by running

sudo su -l rabbitmq -s /bin/bash

Then attempt to vew the certificate.

rabbitmq@ip-10-0-0-22:~$ cat /etc/letsencrypt/live/www.example.com/fullchain.pem
cat: /etc/letsencrypt/live/www.example.com/fullchain.pem: Permission denied

If you look at that file you'll see it is symlinked to the archive folder so just setting permissions on 'live' is not enough.

To fix I ran two commands to set the directories to be readable.

chmod ugo+rx /etc/letsencrypt/live/