Update to 2021-05-26 16:00

4 years ago · f868a0bda8
parent ab23f4efec
commit f868a0bda8
4 changed files with 11 additions and 4 deletions
--- a/roles/rabbitmq_server/defaults/main.yml
+++ b/roles/rabbitmq_server/defaults/main.yml
@ -17,8 +17,10 @@ rabbitmq_ssl_src_ip: []
 # You have to deploy the letsencrypt role on the host for this to work

 # Or you can specify cert and key path. They must be readable by rabbitmq
-#rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
-#rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
+# Note that intermediate should be provided in the cacert file !
+# rabbitmq_ssl_cacert_path: /etc/rabbitmq/ssl/chain.pem
+# rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
+# rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem

 # HTTP API / Web management interface
 rabbitmq_web_port: 15672
--- a/roles/rabbitmq_server/tasks/facts.yml
+++ b/roles/rabbitmq_server/tasks/facts.yml
@ -6,6 +6,7 @@

 - when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
  block:
+    - set_fact: rabbitmq_ssl_cacert_path='/etc/rabbitmq/ssl/chain.pem'
    - set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
    - set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
  tags: rabbitmq
--- a/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
+++ b/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
@ -9,10 +9,11 @@
 {% endif %}

 if [ $1 == "{{ cert }}" ]; then
-  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/rabbitmq/ssl/cert.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/chain.pem /etc/rabbitmq/ssl/chain.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/cert.pem /etc/rabbitmq/ssl/cert.pem
  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/rabbitmq/ssl/key.pem
  chown :rabbitmq /etc/rabbitmq/ssl/key.pem
-  chmod 644 /etc/rabbitmq/ssl/cert.pem
+  chmod 644 /etc/rabbitmq/ssl/{cert,chain}.pem
  chmod 640 /etc/rabbitmq/ssl/key.pem
  systemctl restart rabbitmq-server
 fi
--- a/roles/rabbitmq_server/templates/rabbitmq.conf.j2
+++ b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
@ -1,5 +1,8 @@
 listeners.tcp.default = {{ rabbitmq_port }}
 listeners.ssl.default = {{ rabbitmq_ssl_port }}
+{% if rabbitmq_ssl_cacert_path is defined %}
+ssl_options.cacertfile = {{ rabbitmq_ssl_cacert_path }}
+{% endif %}
 ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
 ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
 loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}