From f868a0bda8ae2509129b415a1ff8699d415ff865 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed, 26 May 2021 16:00:05 +0200
Subject: [PATCH] Update to 2021-05-26 16:00

---
 roles/rabbitmq_server/defaults/main.yml               | 6 ++++--
 roles/rabbitmq_server/tasks/facts.yml                 | 1 +
 roles/rabbitmq_server/templates/dehydrated_hook.sh.j2 | 5 +++--
 roles/rabbitmq_server/templates/rabbitmq.conf.j2      | 3 +++
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/roles/rabbitmq_server/defaults/main.yml b/roles/rabbitmq_server/defaults/main.yml
index 2e3a83f..f2faa5d 100644
--- a/roles/rabbitmq_server/defaults/main.yml
+++ b/roles/rabbitmq_server/defaults/main.yml
@@ -17,8 +17,10 @@ rabbitmq_ssl_src_ip: []
 # You have to deploy the letsencrypt role on the host for this to work
 
 # Or you can specify cert and key path. They must be readable by rabbitmq
-#rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
-#rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
+# Note that intermediate should be provided in the cacert file !
+# rabbitmq_ssl_cacert_path: /etc/rabbitmq/ssl/chain.pem
+# rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
+# rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
 
 # HTTP API / Web management interface
 rabbitmq_web_port: 15672
diff --git a/roles/rabbitmq_server/tasks/facts.yml b/roles/rabbitmq_server/tasks/facts.yml
index 374d847..748712e 100644
--- a/roles/rabbitmq_server/tasks/facts.yml
+++ b/roles/rabbitmq_server/tasks/facts.yml
@@ -6,6 +6,7 @@
 
 - when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
   block:
+    - set_fact: rabbitmq_ssl_cacert_path='/etc/rabbitmq/ssl/chain.pem'
     - set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
     - set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
   tags: rabbitmq
diff --git a/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2 b/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
index 3331758..ca8ef03 100644
--- a/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
+++ b/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
@@ -9,10 +9,11 @@
 {% endif %}
 
 if [ $1 == "{{ cert }}" ]; then
-  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/rabbitmq/ssl/cert.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/chain.pem /etc/rabbitmq/ssl/chain.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/cert.pem /etc/rabbitmq/ssl/cert.pem
   cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/rabbitmq/ssl/key.pem
   chown :rabbitmq /etc/rabbitmq/ssl/key.pem
-  chmod 644 /etc/rabbitmq/ssl/cert.pem
+  chmod 644 /etc/rabbitmq/ssl/{cert,chain}.pem
   chmod 640 /etc/rabbitmq/ssl/key.pem
   systemctl restart rabbitmq-server
 fi
diff --git a/roles/rabbitmq_server/templates/rabbitmq.conf.j2 b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
index 90b5e98..fb69b88 100644
--- a/roles/rabbitmq_server/templates/rabbitmq.conf.j2
+++ b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
@@ -1,5 +1,8 @@
 listeners.tcp.default = {{ rabbitmq_port }}
 listeners.ssl.default = {{ rabbitmq_ssl_port }}
+{% if rabbitmq_ssl_cacert_path is defined %}
+ssl_options.cacertfile = {{ rabbitmq_ssl_cacert_path }}
+{% endif %}
 ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
 ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
 loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}