Renew or replace the self-managed RabbitMQ certificates

Renew or replace the self-managed RabbitMQ certificates

This section describes how to renew or replace the self-managed RabbitMQ certificates.

To renew or replace the self-managed RabbitMQ certificates:

  1. Open your project Git repository with Reclass model on the cluster level.

  2. Create the /openstack/ssl/rabbitmq.yml file with the following configuration as an example:

    classes:
    - cluster.<cluster_name>.openstack.ssl
    parameters:
      rabbitmq:
         server:
           enabled: true
           ...
           ssl:
             enabled: True
             key: ${_param:rabbitmq_ssl_key}
             cacert_chain: ${_param:rabbitmq_ssl_cacert_chain}
             cert: ${_param:rabbitmq_ssl_cert}
    

    Note

    Substitute <cluster_name> with the appropriate value.

  3. Create the /openstack/ssl/init.yml file with the following configuration as an example:

    parameters:
      _param:
        rabbitmq_ssl_cacert_chain: |
          -----BEGIN CERTIFICATE-----
          MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
          ...
          RHXc4FoWv9/n8ZcfsqjQCjF3vUUZBB3zdlfLCLJRruB4xxYukc3gFpFLm21+0ih+
          M8IfJ5I=
          -----END CERTIFICATE-----
        rabbitmq_ssl_key: |
          -----BEGIN RSA PRIVATE KEY-----
          MIIJKQIBAAKCAgEArVSJ16ePjCik+6bZBzhiu3enXw8R9Ms1k4x57633IX1sEZTJ
          ...
          0VgM2bDSNyUuiwCbOMK0Kyn+wGeHF/jGSbVsxYI4OeLFz8gdVUqm7olJj4j3xemY
          BlWVHRa/dEG1qfSoqFU9+IQTd+U42mtvvH3oJHEXK7WXzborIXTQ/08Ztdvy
          -----END RSA PRIVATE KEY-----
        rabbitmq_ssl_cert: |
          -----BEGIN CERTIFICATE-----
          MIIGIDCCBAigAwIBAgIJAJznLlNteaZFMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
          ...
          MfXPTUI+7+5WQLx10yavJ2gOhdyVuDVagfUM4epcriJbACuphDxHj45GINOGhaCd
          UVVCxqnB9qU16ea/kB3Yzsrus7egr9OienpDCFV2Q/kgUSc7
          -----END CERTIFICATE-----
    

    Note

    Modify the example above by adding your certificates and key:

    • If you renew the certificates, leave your existing key and update the cert and chain sections.

    • If you replace the certificates, modify all three sections.

  4. Update the /openstack/message_queue.yml file by adding the newly created class to the RabbitMQ nodes:

    classes:
    - service.rabbitmq.server.ssl
    - cluster.<cluster_name>.openstack.ssl.rabbitmq
    
  5. Log in to the Salt Master node.

  6. Refresh pillars:

    salt -C 'I@rabbitmq:server' saltutil.refresh_pillar
    
  7. Publish new certificates

    salt -C 'I@rabbitmq:server' state.sls rabbitmq -l debug
    
  8. Verify the new certificates validity dates:

    salt -C 'I@rabbitmq:server' cmd.run 'openssl x509 \
    -in /etc/rabbitmq/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
    

    Example of system response:

    Not Before: Apr 27 12:37:14 2018 GMT
    Not After : Apr 27 12:37:14 2019 GMT
    Not Before: Apr 27 12:37:08 2018 GMT
    Not After : Apr 27 12:37:08 2019 GMT
    Not Before: Apr 27 12:37:13 2018 GMT
    Not After : Apr 27 12:37:13 2019 GMT
    
  9. Restart the RabbitMQ services one by one:

    salt -C 'I@rabbitmq:server' cmd.run 'service rabbitmq-server stop; \
    service rabbitmq-server start' -b1
    
  10. Verify the RabbitMQ cluster status:

    salt -C 'I@rabbitmq:server' cmd.run 'rabbitmqctl cluster_status'
    

    Example of system response:

    msg03.multinode-ha.int:
        Cluster status of node rabbit@msg03
        [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
         {running_nodes,[rabbit@msg01,rabbit@msg02,rabbit@msg03]},
         {cluster_name,<<"openstack">>},
         {partitions,[]},
         {alarms,[{rabbit@msg01,[]},{rabbit@msg02,[]},{rabbit@msg03,[]}]}]
    msg01.multinode-ha.int:
        Cluster status of node rabbit@msg01
        [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
         {running_nodes,[rabbit@msg03,rabbit@msg02,rabbit@msg01]},
         {cluster_name,<<"openstack">>},
         {partitions,[]},
         {alarms,[{rabbit@msg03,[]},{rabbit@msg02,[]},{rabbit@msg01,[]}]}]
    msg02.multinode-ha.int:
        Cluster status of node rabbit@msg02
        [{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
         {running_nodes,[rabbit@msg03,rabbit@msg01,rabbit@msg02]},
         {cluster_name,<<"openstack">>},
         {partitions,[]},
         {alarms,[{rabbit@msg03,[]},{rabbit@msg01,[]},{rabbit@msg02,[]}]}]
    
  11. Restart all OpenStack API services and agents.