我正在 Docker 上使用这个 docker-compose.yml 运行 RabbitMQ 实例,没有问题,它正在工作:
version: '3.7'
services:
my-rabbit:
image: imageAddress
hostname: my-rabbit
ports:
- "5672:5672"
- "15672:15672"
networks:
- testNetwork
networks:
testNetwork:
external: true
但是我必须使用带有证书的 RabbitMQ 才能通过 TLS 获得连接。
我尝试了这种方式,certs 文件夹包含证书,但出现错误:
version: '3.7'
services:
my-rabbit:
tty: true
image: imageAddress
environment:
- RABBITMQ_SSL_CERTFILE=/cert_rabbitmq/testca/cacert.pem
- RABBITMQ_SSL_KEYFILE=/cert_rabbitmq/server/cert.pem
- RABBITMQ_SSL_CACERTFILE=/cert_rabbitmq/server/key.pem
hostname: my-rabbit
ports:
- "5672:5672"
- "15672:15672"
volumes:
- /home/ilkaygunel/Desktop/certs:/cert_rabbitmq
networks:
- testNetwork
networks:
testNetwork:
external: true
错误如下。它说旧式配置文件存在,但我不知道该怎么办。
my-rabbit_1 | error: Docker configuration environment variables specified, but old-style (Erlang syntax) configuration file '/etc/rabbitmq/rabbitmq.config' exists
my-rabbit_1 | Suggested fixes: (choose one)
my-rabbit_1 | - remove '/etc/rabbitmq/rabbitmq.config'
my-rabbit_1 | - remove any Docker-specific 'RABBITMQ_...' environment variables
my-rabbit_1 | - convert '/etc/rabbitmq/rabbitmq.config' to the newer sysctl format ('/etc/rabbitmq/rabbitmq.conf'); see https://www.rabbitmq.com/configure.html#config-file
我应该怎么做才能使用该证书文件?
看起来
RABBITMQ_SSL*rabbitmq.conf目录结构:
├── certs
│ ├── rabbitmq.conf
│ ├── root.crt
│ ├── server.crt
│ └── server.key
├── data
│ └── # rmq data and other stuff
└── docker-compose.yml
docker-compose.ymlversion: "3.8"
services:
tls-rabbitmq:
hostname: 'tls-dev.rmq'
image: rabbitmq:3-management-alpine
container_name: 'tls-rmq-dev'
environment:
- RABBITMQ_DEFAULT_USER=rmq-test
- RABBITMQ_DEFAULT_PASS=Wg1-U5hP8xEYY_zfMPFEb5l-HvrsH
restart: always
extra_hosts:
- "tls-dev.rmq:192.168.166.6"
ports:
- "5672:5672"
- "15672:15672"
volumes:
- ./data:/var/lib/rabbitmq/
- ./certs/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf:ro
- ./certs/root.crt:/etc/ssl/rmq-cacert.pem:ro
- ./certs/server.crt:/etc/ssl/rmq-cert.pem:ro
- ./certs/server.key:/etc/ssl/rmq-key.pem:ro
rabbitmq.confssl_options.cacertfile = /etc/ssl/rmq-cacert.pem
ssl_options.certfile = /etc/ssl/rmq-cert.pem
ssl_options.keyfile = /etc/ssl/rmq-key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
最后,
docker-compose up -dP.S:记得将
tls-dev.rmq/etc/hosts尝试这样的事情。另外,您似乎指向了错误的文件。 certfile 应为
cert.pemkey.pemcacert或者如果你想像你一样使用 3.7,它应该是 :-
version: '3.7'
services:
my-rabbit:
tty: true
image: imageAddress
environment:
- RABBITMQ_SSL_CERTFILE=/cert_rabbitmq/testca/cert.pem
- RABBITMQ_SSL_KEYFILE=/cert_rabbitmq/server/key.pem
- RABBITMQ_SSL_CACERTFILE=/cert_rabbitmq/server/cacert.pem
hostname: my-rabbit
ports:
- "5672:5672"
- "15672:15672"
volumes:
- /home/ilkaygunel/Desktop/certs:/cert_rabbitmq
networks:
- testNetwork
networks:
testNetwork:
external: true
或者,只需使用新格式设置一个rabbitmq配置文件,如下所示:-
#A new style format snippet. This format is used by rabbitmq.conf files.
ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile = /path/to/server_certificate.pem
ssl_options.keyfile = /path/to/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
从文档看来,使用这种配置格式,您甚至可能不需要在 docker compose 文件中使用 RABBITMQ... 样式环境变量。
可能您使用的是 3.7.0 之前版本的rabbitmq 镜像,其中默认使用旧式配置文件。
如果有一个选项,您可能希望将rabbitmq 映像的版本升级到较新的版本。处理新 ini 样式配置文件的较新版本的图像。此升级是错误消息中的第三个建议:“将 '/etc/rabbitmq/rabbitmq.config' 转换为较新的 sysctl 格式”。还有一点。当您指定“RABBITMQ_SSL_...”变量时,rabbitmq 将打开由 tls 驱动的端口 5671; 5672 也可以打开,但没有 tls。此行为可能会通过 conf 文件更改。