What this guide demonstrates
- TLS handshake validation
- Server certificate trust
- Basic auth and RabbitMQ DB operations
- Image compatibility
Components
- RabbitMQ image built by Minimus: RabbitMQ configured for TLS on both the AMQP port (5671) and the management API port (15671).
- certgen.sh script: Dynamic certificate generation shell script that uses OpenSSL.
- minidebug image: A Minimus dev toolkit that provides a shell, OpenSSL, and other utilities used to generate the certificates.
Directory Structure
2 TLS listeners for 2 trust models
This setup configures two independent TLS listeners, each with a different trust requirement:-
AMQP (
5671) — This is the protocol port your messaging clients connect to.ssl_options.verify = verify_nonemeans the server presents its certificate for the client to trust, but never asks the client for one back. Hence, no client certificate is required. -
Management API (
15671) — This is used byrabbitmqadmin,curl, and the management UI.management.ssl.verify = verify_peermeans the server will validate a client certificate if one is presented, butfail_if_no_peer_cert = falsemakes presenting one optional.
--cacert / --ssl-ca-cert-file) is all a client needs to establish the TLS connections, so this guide skips generating a client certificate. If you later move this setup toward a multi-tenant or zero-trust environment, you can require client certificates on either listener by switching fail_if_no_peer_cert to true.
Deploy RabbitMQ with TLS certificates
Step 1: Generate TLS certificates
Save script that generates TLS certificates
Save the following script to a file named
certgen.sh. The script is used to generate the self-signed CA and server certificates and store them in a certs folder in a Docker volume.certgen.sh
Save Docker Compose configuration
Save the following YAML configuration to a file named
create-certs.yml. The configuration uses the Minimus minidebug image to generate the certificates with the certgen.sh shell script. Minidebug is a Minimus dev toolkit that provides a shell, OpenSSL, and other utilities.create-certs.yml
- CA certificate (
ca_certificate.pem) - Server certificate and key (
server_certificate.pem,server_key.pem) valid forrabbitmq,localhost,127.0.0.1,192.168.20.0,192.168.20.2, and192.168.20.3
- Proper SANs for
rabbitmqandlocalhost - Server cert with both
serverAuthandclientAuthextended key usage
Step 2: Deploy RabbitMQ server
Save Docker Compose script
Save the following Docker Compose script to a file named
docker-compose.yml. This script sets up the RabbitMQ service with a healthcheck, mounts a volume with the certificates, maps ports 15671 and 5671.docker-compose.yml
Step 3: Test your RabbitMQ server
We will userabbitmqadmin, the RabbitMQ CLI, to connect over TLS and run tests. For example, here are a few commands you can try out:
-
Check db health:
-
Verify the AMQP TLS listener itself (port
5671) withopenssl s_client. This confirms the handshake and certificate the broker presents to actual messaging clients, independent of the management API tested in the next step:openssl s_clientruns on your host machine, not inside the container, so the verify result depends on the OpenSSL build installed there. You may see eitherVerify return code: 0 (ok)or19 (self-signed certificate in certificate chain)— both mean the handshake succeeded using the certificate signed by your CA. Messaging client libraries (pika,amqplib, etc.) that trust the CA connect the same way regardless. -
Test connectivity using
rabbitmqadmin. Note thatrabbitmqadmintalks to the management HTTP API, so it connects on port15671(the TLS management port), not the AMQP port5671: -
Create a test vhost (for example
test_vhost). A vhost is RabbitMQ’s equivalent of a database — a logically separate group of queues, exchanges, and permissions: -
List all vhosts.
-
Declare a durable queue named
docsintest_vhost(the equivalent of creating a collection):Then publish a message to it: -
Create a user (for example,
appuserwith read/write/configure permissions ontest_vhost), get the user’s permission details, and delete the user: -
Publish a new message to the queue:
-
Get all messages from the queue:
-
Delete the vhost: