Renew or replace the RabbitMQ certificates managed by salt-minion

Renew or replace the RabbitMQ certificates managed by salt-minion¶

This section describes how to renew or replace the RabbitMQ certificates managed by salt-minion.

To renew or replace the RabbitMQ certificates managed by salt-minion:

Verify the certificates validity dates:

salt -C 'I@rabbitmq:server' cmd.run 'openssl x509 \
-in /etc/rabbitmq/ssl/cert.pem -text -noout' | grep -Ei 'after|before'

Example of system response:

Not Before: Apr 27 12:37:14 2018 GMT
Not After : Apr 27 12:37:14 2019 GMT
Not Before: Apr 27 12:37:08 2018 GMT
Not After : Apr 27 12:37:08 2019 GMT
Not Before: Apr 27 12:37:13 2018 GMT
Not After : Apr 27 12:37:13 2019 GMT

Remove the certificates from the RabbitMQ nodes:

salt -C 'I@rabbitmq:server' cmd.run 'rm -f /etc/rabbitmq/ssl/cert.pem'

If you replace the certificates, remove the private key:

salt -C 'I@rabbitmq:server' cmd.run 'rm -f /etc/rabbitmq/ssl/key.pem'

Regenerate the certificates on the RabbitMQ nodes:

salt -C 'I@rabbitmq:server' state.sls salt.minion.cert

Verify that the certificates validity dates have changed:

salt -C 'I@rabbitmq:server' cmd.run 'openssl x509 \
-in /etc/rabbitmq/ssl/cert.pem -text -noout' | grep -Ei 'after|before'

Example of system response:

Not Before: Jun  4 23:52:40 2018 GMT
Not After : Jun  4 23:52:40 2019 GMT
Not Before: Jun  4 23:52:41 2018 GMT
Not After : Jun  4 23:52:41 2019 GMT
Not Before: Jun  4 23:52:41 2018 GMT
Not After : Jun  4 23:52:41 2019 GMT

Restart the RabbitMQ services one by one:

salt -C 'I@rabbitmq:server' cmd.run 'service rabbitmq-server stop; \
service rabbitmq-server start' -b1

Verify the RabbitMQ cluster status:

salt -C 'I@rabbitmq:server' cmd.run 'rabbitmqctl cluster_status'

Example of system response:

msg03.multinode-ha.int:
    Cluster status of node rabbit@msg03
    [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
     {running_nodes,[rabbit@msg01,rabbit@msg02,rabbit@msg03]},
     {cluster_name,<<"openstack">>},
     {partitions,[]},
     {alarms,[{rabbit@msg01,[]},{rabbit@msg02,[]},{rabbit@msg03,[]}]}]
msg01.multinode-ha.int:
    Cluster status of node rabbit@msg01
    [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
     {running_nodes,[rabbit@msg03,rabbit@msg02,rabbit@msg01]},
     {cluster_name,<<"openstack">>},
     {partitions,[]},
     {alarms,[{rabbit@msg03,[]},{rabbit@msg02,[]},{rabbit@msg01,[]}]}]
msg02.multinode-ha.int:
    Cluster status of node rabbit@msg02
    [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
     {running_nodes,[rabbit@msg03,rabbit@msg01,rabbit@msg02]},
     {cluster_name,<<"openstack">>},
     {partitions,[]},
     {alarms,[{rabbit@msg03,[]},{rabbit@msg01,[]},{rabbit@msg02,[]}]}]

updated: 2024-01-04 11:47

Verify that the RabbitMQ cluster uses certificates

View Previous Section

Renew or replace the self-managed RabbitMQ certificates