Mahedee Hasan

Mahedee Hasan

I am a Microsoft MVP (9th times), programmer, software developer, software architect, consultant, author, researcher, technical blogger, technical speaker, trainer and learner. I have more than 15 years experience in the field of software design and development.

How to Configure SSL and HTTPS for RabbitMQ in Docker

6 minute read

Securing RabbitMQ with SSL/TLS and enabling HTTPS access for the Management UI is essential to protect data and ensure a secure environment. This guide walks you through the steps to set up RabbitMQ with SSL/TLS on Docker Desktop and enable HTTPS for the Management UI. Follow along to configure RabbitMQ to handle encrypted AMQP connections as well as a secure Management interface.

Prerequisites

To follow this guide, you’ll need:

  1. Docker Desktop: Installed and running on your machine.
  2. RabbitMQ Configuration Files: Basic familiarity with RabbitMQ configurations and SSL certificates.
  3. OpenSSL: To create self-signed certificates if needed.

Step 1: Create SSL/TLS Certificates

To secure RabbitMQ over SSL, you’ll need three key files:

  • ca_certificate.pem: Certificate Authority (CA) certificate. This file is required for RabbitMQ to validate client certificates.
  • server_certificate.pem: Server certificate signed by the CA. This file is used by RabbitMQ to authenticate itself to clients.
  • server_key.pem: Private key for the server certificate. This file is used by RabbitMQ to decrypt incoming client requests.

Creating Self-Signed Certificates

1: Create a Certificate Authority (CA)

First, create a CA certificate to sign the server certificate.

1.1 Generate a private key for the CA:

   openssl genpkey -algorithm RSA -out ca_key.pem -aes256
  • You’ll be prompted to create a passphrase for the CA key. Remember this, as it will be needed to sign certificates.

1.2 Generate a CA certificate:

   openssl req -x509 -new -nodes -key ca_key.pem -sha256 -days 3650 -out ca_certificate.pem
  • You’ll be asked to fill out details for the CA certificate (such as country, organization, etc.). This will generate the ca_certificate.pem file.
  • You can keep everything blank if you’re creating a self-signed certificate for testing purposes.

2: Create the Server Certificate and Key

Next, create the server certificate that RabbitMQ will use, signed by your CA.

2.1. Generate a private key for the server:

   openssl genpkey -algorithm RSA -out server_key.pem

2.2. Create a Certificate Signing Request (CSR) for the server certificate:

   openssl req -new -key server_key.pem -out server_csr.pem
  • You’ll be prompted to enter details for the server. Be sure to set Common Name (CN) to the server’s hostname or IP address, as clients will check this when verifying the server’s identity.
  • You can keep other fields blank for testing purposes.

2.3. Sign the server certificate with the CA:

   openssl x509 -req -in server_csr.pem -CA ca_certificate.pem -CAkey ca_key.pem -CAcreateserial -out server_certificate.pem -days 3650 -sha256
  • This step signs the server_certificate.pem with ca_certificate.pem, creating a valid SSL certificate for the server. The -CAcreateserial flag creates a ca_certificate.srl file that manages the CA’s serial numbers for certificates.

After completing the above steps, you should have these files:

  • ca_certificate.pem: The CA certificate file used to verify server identity.
  • server_certificate.pem: The server’s signed certificate file.
  • server_key.pem: The server’s private key file.

These files can now be used in the docker-compose.yml setup you configured earlier. Ensure the certificates are placed in the correct certs directory and that permissions are set to secure access to the private key (server_key.pem).

Step 2: Set Up rabbitmq.conf for SSL and HTTPS

RabbitMQ requires configurations to enable SSL for AMQP client connections (on port 5671) and HTTPS for the Management UI (on port 15671). Let’s create a rabbitmq.conf file with these configurations:

# SSL settings for the main AMQP listener (used for client connections over SSL/TLS)
listeners.ssl.default = 5671                     # AMQP listener over SSL/TLS on port 5671
ssl_options.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem  # Path to the CA certificate to verify client certificates
ssl_options.certfile = /etc/rabbitmq/certs/server_certificate.pem # Path to the server certificate for RabbitMQ
ssl_options.keyfile = /etc/rabbitmq/certs/server_key.pem         # Path to the server private key for SSL
ssl_options.verify = verify_peer                # Requires clients to present valid certificates (mutual authentication)
ssl_options.fail_if_no_peer_cert = true         # Disconnects clients if they don't present a valid certificate

# Enable HTTPS for the management interface
management.listener.port = 15671                # Port for accessing RabbitMQ Management UI over HTTPS
management.listener.ssl = true                  # Enable SSL for the management UI listener
management.listener.ip = 0.0.0.0                # Bind to all available network interfaces to accept external connections

# SSL options for HTTPS management listener
management.listener.ssl_opts.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem  # CA certificate for HTTPS verification
management.listener.ssl_opts.certfile = /etc/rabbitmq/certs/server_certificate.pem # Server certificate for HTTPS
management.listener.ssl_opts.keyfile = /etc/rabbitmq/certs/server_key.pem         # Private key for HTTPS
management.listener.ssl_opts.verify = verify_none          # Allows clients to access without presenting a client certificate
management.listener.ssl_opts.fail_if_no_peer_cert = false  # Does not require client certificates for HTTPS access

In this configuration:

  • AMQP (5671): The verify_peer and fail_if_no_peer_cert options enforce strict client certificate validation.
  • Management UI (15671): Allows HTTPS access without requiring client certificates.

Save this file as rabbitmq.conf.

Step 3: Configure docker-compose.yml for RabbitMQ

To set up RabbitMQ with the configurations and certificates, we need to update docker-compose.yml:

version: '3.8'

services:
  rabbitmq:
    image: rabbitmq:3-management
    container_name: rabbitmq
    ports:
      - "5671:5671"         # RabbitMQ SSL port
      - "15671:15671"       # RabbitMQ management plugin port
    environment:
      RABBITMQ_DEFAULT_USER: user             # Default username
      RABBITMQ_DEFAULT_PASS: password         # Default password
    volumes:
      - rabbitmq_data:/var/lib/rabbitmq      # Data persistence
      - ./certs:/etc/rabbitmq/certs          # Mount the certs directory of local machine to the container directory
      - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf  # Custom RabbitMQ configuration file. This file is used to enable SSL and configure the SSL certificates. rabbitmq.conf file is mounted to the container directory /etc/rabbitmq/rabbitmq.conf
    command: ["rabbitmq-server"]            # Start the RabbitMQ server. This command is used to start the RabbitMQ server with the custom configuration file.

volumes:
  rabbitmq_data:

#rabbitmq_data is mounted to /var/lib/rabbitmq inside the container. RabbitMQ stores its data in /var/lib/rabbitmq by default, so mounting a persistent volume to this location ensures that data generated by RabbitMQ is saved in the rabbitmq_data volume.

Explanation of the Volume Mounts

  • rabbitmq_data: Ensures RabbitMQ data (queues, exchanges, etc.) persist across container restarts.
  • ./certs: Mounts the local certificates folder to /etc/rabbitmq/certs inside the container, where RabbitMQ can access them.
  • ./rabbitmq.conf: Mounts the custom configuration file into /etc/rabbitmq/rabbitmq.conf inside the container.

The folder structure as follows:

rabbitmq-ssl
│   docker-compose.yml
│   rabbitmq.conf
│   certs/
│       ca_certificate.pem
│       server_certificate.pem
│       server_key.pem

Step 4: Start RabbitMQ and Verify SSL Configuration

  1. Run the following command to start the RabbitMQ container with HTTPS and SSL enabled:

    docker-compose up -d

  2. Verify that RabbitMQ is listening on the correct ports:

    docker ps

    You should see ports 5671 (for AMQP over SSL) and 15671 (for HTTPS management) mapped.

Step 5: Access the RabbitMQ Management UI over HTTPS

Open your browser and navigate to https://localhost:15671. If you’re using a self-signed certificate, you’ll likely see a security warning. Proceed by accepting the certificate to access the Management UI.

Step 6: Configure AMQP Clients for SSL Connections

For applications or services that connect to RabbitMQ over AMQP, use the following settings:

  • URL: amqps://localhost:5671
  • CA Certificate: ca_certificate.pem (for client validation)

Client applications should verify the RabbitMQ server certificate by using ca_certificate.pem. Depending on the client library, you may need to specify additional SSL options.

Troubleshooting Tips

  • Permissions: Ensure that the .pem files are readable by the RabbitMQ process inside the container.
  • SSL/TLS Version Compatibility: Some clients may have specific SSL/TLS requirements. Ensure your configuration aligns with the client’s requirements.

Conclusion

Setting up RabbitMQ with SSL/TLS and enabling HTTPS access for the Management UI greatly enhances security, especially in production environments. With these configurations, RabbitMQ can securely handle both AMQP client connections and browser-based management over HTTPS.

Following these steps, you’ll have a robust, secure RabbitMQ instance that protects your data in transit and allows safe administration.

Note for docker container:

  • docker exec -it rabbitmq bash - access the container terminal, rabbitmq is the container name
  • docker exec -it rabbitmq ls -l /etc/rabbitmq/certs - list the certs in the container
  • You can access container terminal from docker desktop as follows:
    • Click on the container
    • Click on Termianl tab

You May Also Enjoy