Example: mTLS between RabbitMQ nodes #469
Conversation
mkuratczyk
changed the title
| - mtls-inter-node-server-0.mtls-inter-node-nodes.default | ||
| - mtls-inter-node-server-1.mtls-inter-node-nodes.default | ||
| - mtls-inter-node-server-2.mtls-inter-node-nodes.default |
There was a problem hiding this comment.
From the RabbitMQ clustering ssl docs:
It is possible to reuse a single certificate/key pair for all nodes and CLI tools. The certificate can also use a wildcard Subject Alternative Name (SAN) or Common Name (CN) such as *.rabbitmq.example.local that would match every hostname in the cluster.
Do you think a wildcard name will work here too? I remember you had concerns around this approach if we were to scale up the cluster.
There was a problem hiding this comment.
Yes, I tested the wildcard option shortly after submitting the PR. Wildcard would make it easier to add nodes to the cluster for example, but I know some companies don't like wildcard certs.
| {customize_hostname_check, [ | ||
| {match_fun, public_key:pkix_verify_hostname_match_fun(https)} | ||
| ]} |
There was a problem hiding this comment.
Why were these lines added?
They are not in the RabbitMQ docs example.
Is it to get over a certain problem you encountered?
There was a problem hiding this comment.
Taken from @lukebakken's example (https://github.com/lukebakken/erlang-inet-dist). As far as I tested, without this, Erlang would accept any name in the certificate.
|
It all works for me. Above are:
|
Co-authored-by: Feroz Jilla <[email protected]>
Co-authored-by: Feroz Jilla <[email protected]>
Co-authored-by: Feroz Jilla <[email protected]>
|
Thanks for adding the commands for verifying the TLS connection |
This example shows how to configure mTLS between RabbitMQ nodes. It uses Cert Manager but could be used without it (secret would have to be created manually).