配置rabbitmq https SSL,springboot连接rabbitmq https
Create Certificate Authority
生成root certificate
cd /etc/rabbitmq/certs
openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -subj "/CN=demo.mlopshub.com/C=US/L=San Fransisco" -keyout rootCA.key -out rootCA.crt
Create the Server Private Key
openssl genrsa -out server.key 2048
创建 csr.conf文件,填写证书的信息
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
ST = California
L = San Fransisco
O = MLopsHub
OU = MlopsHub Dev
CN = demo.mlopshub.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = demo.mlopshub.com
DNS.2 = www.demo.mlopshub.com
IP.1 = 192.168.1.5
IP.2 = 192.168.1.6
这里注意subjectAltName 的配置,如果这个证书要在多台服务器上使用,需要把域名或者IP都配置进来
生成CSR(certificate signing request)文件
openssl req -new -key server.key -out server.csr -config csr.conf
创建cert.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = demo.mlopshub.com
生成SSL certificate With self signed CA
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile cert.conf
这样我们就得到了rootCA.crt,公钥server.crt,私钥 server.key
安装rabbitmq
参考: https://computingforgeeks.com/installing-rabbitmq-on-centos-6-centos-7/
配置https
touch /etc/rabbitmq/rabbitmq.config
vi /etc/rabbitmq/rabbitmq.config
[
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/etc/rabbitmq/certs/rootCA.crt"},
{certfile, "/etc/rabbitmq/certs/server.crt"},
{keyfile, "/etc/rabbitmq/certs/server.key"},
{verify, verify_none},
{fail_if_no_peer_cert, false},
{versions, ['tlsv1.2']}
]}
]},
{rabbitmq_management, [
{listener, [
{port, 15672},
{ip, "your ip"},
{ssl, true},
{ssl_opts,
[{cacertfile, "/etc/rabbitmq/certs/rootCA.crt"},
{certfile, "/etc/rabbitmq/certs/server.crt"},
{keyfile, "/etc/rabbitmq/certs/server.key"}
]}
]}
]}
].
ssl:
enabled: true
algorithm: TLSv1.2
重启rabbitmq 启动springboot
sudo systemctl restart rabbitmq-server
这时大概率你会遇到这个问题:
在这里插入图片描述
这个比较坑,这个报错根本看不出是什么问题,日志信息太模糊了。其实是因为我们证书的权限问题。
修改证书的权限
sudo chown -R rabbitmq:rabbitmq /etc/rabbitmq/certs/
sudo chmod 777 /etc/rabbitmq/certs/rootCA.crt.
sudo chmod 777 /etc/rabbitmq/certs/server.crt
sudo chmod 777 /etc/rabbitmq/certs/server.key
仔细检查路径是否有错,每一个字符都不能错
{cacertfile, "/etc/rabbitmq/certs/rootCA.crt"},
{certfile, "/etc/rabbitmq/certs/server.crt"},
{keyfile, "/etc/rabbitmq/certs/server.key"}
我之前因为不小心吧key放在了certfile,导致failed to check/redeclare auto-delete queue(s),
检查了半天,log也不会直接告诉你是证书路径的问题,这种问题仔细一点其实可以避免,我自己检讨自己。。。
添加user
sudo rabbitmqctl add_user username password
sudo rabbitmqctl set_user_tags username administrator
sudo rabbitmqctl set_permissions -p / username ".*" ".*" ".*"
然后再重启rabbitmq
sudo systemctl restart rabbitmq-server
这时可看到下面的界面, 说明management UI配置成功了
登录看看端口
springboot连接rabbitmq https
再客户端只需要添加rootCA.crt到jdk的cacerts
D:\jdk\zulu11.54.25-ca-jdk11.0.14.1-win_x64\lib\security
keytool -import -alias -aliasName -file /etc/rabbitmq/rootCA.crt -keystore jdk_home/lib/security/cacerts
替换jdk_home为你的jdk安装目录,applicatio.yml里面的配置不需要更改
spring:
rabbitmq:
host: ip_address
port: 5671
username: username
password: password
ssl:
enabled: true
algorithm: TLSv1.2
listener:
simple:
retry:
enabled: true
max-attempts: 5
initial-interval: 2000
default-requeue-rejected: false
然后启动你的springboot项目。大功告成。
本文转载自: https://blog.csdn.net/qq_17011423/article/details/127582629
版权归原作者 Allen Wu(WU, ZHWIEI) 所有, 如有侵权,请联系我们删除。
版权归原作者 Allen Wu(WU, ZHWIEI) 所有, 如有侵权,请联系我们删除。