@@ -29,7 +29,7 @@ limitations under the License.
2929 <doc : section name =" intro"
3030 <p class =" intro"
3131 nodes talk to each other using TLS (SSL), and thus make the whole RabbitMQ
32- cluster communication via TLS. To achieve that we need to make the
32+ cluster communication via TLS. To achieve that we need to configure the
3333 Erlang distribution mechanism to use TLS. In this document we are
3434 going to review the steps to make this possible.</p >
3535 </doc : section >
@@ -57,12 +57,12 @@ cat server_certificate.pem server_key.pem > rabbit.pem
5757# /etc/rabbitmq/rabbitmq-env.conf and will preserve the existing
5858# contents of that file if it already exists
5959
60- erl -noinput -eval 'io:format("ERL_SSL_PATH=~p ~n",[ code:lib_dir(ssl, ebin)]),halt().' > /tmp/ssl-path.txt
60+ erl -noinput -eval 'io:format("ERL_SSL_PATH=~s ~n", [filename:dirname( code:which(inet_tls_dist))])' -s init stop > /tmp/ssl-path.txt
6161cat /tmp/ssl-path.txt /etc/rabbitmq/rabbitmq-env.conf > /tmp/new-rabbitmq-env.conf
6262mv -f /tmp/new-rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf
6363</pre >
6464
65- <p >First we find where Erlang has the ssl library, and then the
65+ <p >First we find where Erlang has the < code >inet_tls_dist</ code > library, and then the
6666 variable <code >ERL_SSL_PATH</code > is set with the result from that command.</p >
6767
6868 <p >By using the previous information now is time to craft the
@@ -92,7 +92,10 @@ SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH \
9292 <code >/etc/rabbitmq/rabbitmq-env.conf</code > file:</p >
9393
9494<pre class =" sourcecode bash"
95- # NOTE: the following path is **system dependent**
95+ # NOTE: the following path is **system dependent** (will
96+ # change depending on Erlang version, distribution used
97+ # installation method used). Please double check it before
98+ # proceeding.
9699ERL_SSL_PATH="/usr/lib64/erlang/lib/ssl-8.2.4/ebin"
97100
98101SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH \
@@ -131,9 +134,68 @@ CTL_ERL_ARGS="-pa $ERL_SSL_PATH \
131134 </p >
132135 </doc : section >
133136
134- <doc : section name =" how-to-osx"
135- <doc : heading >OS X</doc : heading >
136- <p >If you are using the OSX Standalone Release, then you need
137+ <doc : section name =" how-to-linux-ssl_dist_optfile"
138+ <doc : heading >Linux (Erlang 20.2 and later)</doc : heading >
139+ <p >Starting with <a href =" http://www.erlang.org/news/116" a >,
140+ Erlang supports the <code >-ssl_dist_optfile</code >
141+ argument that allows configuring TLS for distributed Erlang in a file. This greatly simplifies
142+ the arguments passed on the command line itself.
143+ </p >
144+ <p >
145+ Here is a complete <code >/etc/rabbitmq/rabbitmq-env.conf</code > file using this setting.
146+ Note that the name of the <code >-ssl_dist_optfile</code > file is not significant, it just
147+ must be saved in a location readable by the <code >rabbitmq</code > user:
148+ </p >
149+
150+ <pre class =" sourcecode bash"
151+ # NOTE: the following path is **system dependent**
152+ ERL_SSL_PATH="/usr/lib64/erlang/lib/ssl-8.2.4/ebin"
153+
154+ SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH \
155+ -proto_dist inet_tls \
156+ -ssl_dist_optfile /etc/rabbitmq/ssl_dist.config
157+
158+ CTL_ERL_ARGS="-pa $ERL_SSL_PATH \
159+ -proto_dist inet_tls \
160+ -ssl_dist_optfile /etc/rabbitmq/ssl_dist.config
161+ </pre >
162+
163+ <p >
164+ Here is an example <code >/etc/rabbitmq/ssl_dist.config</code > file:
165+ </p >
166+
167+ <pre class =" sourcecode bash"
168+ [
169+ {server, [
170+ {cacertfile, "/full/path/to/ca_certificate.pem"},
171+ {certfile, "/full/path/to/server_certificate.pem"},
172+ {keyfile, "/full/path/to/server_key.pem"},
173+ {secure_renegotiate, true},
174+ {verify, verify_peer},
175+ {fail_if_no_peer_cert, true}
176+ ]},
177+ {client, [
178+ {cacertfile, "/full/path/to/ca_certificate.pem"},
179+ {certfile, "/full/path/to/client_certificate.pem"},
180+ {keyfile, "/full/path/to/client_key.pem"},
181+ {secure_renegotiate, true},
182+ {verify, verify_peer},
183+ {fail_if_no_peer_cert, true}
184+ ]}
185+ ].
186+ </pre >
187+ <p >
188+ The file contains many of the most common options enabled to fully validate certificates.
189+ These options are documented further in the Erlang/OTP documentation:
190+ <a href =" http://erlang.org/doc/apps/ssl/ssl_distribution.html" a >
191+ as well as in the <a href =" http://erlang.org/doc/man/ssl.html" a >.
192+ </p >
193+
194+ </doc : section >
195+
196+ <doc : section name =" how-to-macos"
197+ <doc : heading >MacOS</doc : heading >
198+ <p >If you are using the <a href =" /install-standalone-mac.html#standalone-mac" a >, then you need
137199 to add some extra arguments in order to run the <code >erl</code >
138200 command to find the path of Erlang's TLS library. Assuming you are
139201 inside the folder where you installed the standalone release, the
@@ -146,14 +208,18 @@ echo erts-6.1/bin/erl -boot releases/3.4.3/start_clean \
146208export ERL_SSL_PATH=/path/to/erl/lib/ssl-5.3.5/ebin
147209</pre >
148210
149- <p >The difference is that we need to specify the path to the
150- <code >erl</code > executable and also provide a path to a boot file,
151- which in our case is inside the releases folder of our standalone
152- installation.</p >
211+ <p >
212+ The difference is that we need to specify the path to the
213+ <code >erl</code > executable and also provide a path to a boot file,
214+ which in our case is inside the releases folder of our standalone
215+ installation.
216+ </p >
153217
154- <p >Once you have ran the previous commands, then you can
155- proceed to create the environment variables as explained above on the
156- <a href =" /clustering-ssl.html#how-to-linux" a ></p >
218+ <p >
219+ Once you have ran the previous commands, then you can
220+ proceed to create the environment variables as explained above on the
221+ <a href =" /clustering-ssl.html#how-to-linux" a >
222+ </p >
157223
158224 </doc : section >
159225
0 commit comments