This section describes how to renew or replace the self-managed RabbitMQ certificates.
To renew or replace the self-managed RabbitMQ certificates:
Open your project Git repository with Reclass model on the cluster level.
Create the /openstack/ssl/rabbitmq.yml file with the following
configuration as an example:
classes:
- cluster.<cluster_name>.openstack.ssl
parameters:
rabbitmq:
server:
enabled: true
...
ssl:
enabled: True
key: ${_param:rabbitmq_ssl_key}
cacert_chain: ${_param:rabbitmq_ssl_cacert_chain}
cert: ${_param:rabbitmq_ssl_cert}
Note
Substitute <cluster_name> with the appropriate value.
Create the /openstack/ssl/init.yml file with the following configuration
as an example:
parameters:
_param:
rabbitmq_ssl_cacert_chain: |
-----BEGIN CERTIFICATE-----
MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
...
RHXc4FoWv9/n8ZcfsqjQCjF3vUUZBB3zdlfLCLJRruB4xxYukc3gFpFLm21+0ih+
M8IfJ5I=
-----END CERTIFICATE-----
rabbitmq_ssl_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEArVSJ16ePjCik+6bZBzhiu3enXw8R9Ms1k4x57633IX1sEZTJ
...
0VgM2bDSNyUuiwCbOMK0Kyn+wGeHF/jGSbVsxYI4OeLFz8gdVUqm7olJj4j3xemY
BlWVHRa/dEG1qfSoqFU9+IQTd+U42mtvvH3oJHEXK7WXzborIXTQ/08Ztdvy
-----END RSA PRIVATE KEY-----
rabbitmq_ssl_cert: |
-----BEGIN CERTIFICATE-----
MIIGIDCCBAigAwIBAgIJAJznLlNteaZFMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
...
MfXPTUI+7+5WQLx10yavJ2gOhdyVuDVagfUM4epcriJbACuphDxHj45GINOGhaCd
UVVCxqnB9qU16ea/kB3Yzsrus7egr9OienpDCFV2Q/kgUSc7
-----END CERTIFICATE-----
Note
Modify the example above by adding your certificates and key:
key and
update the cert and chain sections.Update the /openstack/message_queue.yml file by adding the newly created
class to the RabbitMQ nodes:
classes:
- service.rabbitmq.server.ssl
- cluster.<cluster_name>.openstack.ssl.rabbitmq
Log in to the Salt Master node.
Refresh pillars:
salt -C 'I@rabbitmq:server' saltutil.refresh_pillar
Publish new certificates
salt -C 'I@rabbitmq:server' state.sls rabbitmq -l debug
Verify the new certificates validity dates:
salt -C 'I@rabbitmq:server' cmd.run 'openssl x509 \
-in /etc/rabbitmq/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
Example of system response:
Not Before: Apr 27 12:37:14 2018 GMT
Not After : Apr 27 12:37:14 2019 GMT
Not Before: Apr 27 12:37:08 2018 GMT
Not After : Apr 27 12:37:08 2019 GMT
Not Before: Apr 27 12:37:13 2018 GMT
Not After : Apr 27 12:37:13 2019 GMT
Restart the RabbitMQ services one by one:
salt -C 'I@rabbitmq:server' cmd.run 'service rabbitmq-server stop; \
service rabbitmq-server start' -b1
Verify the RabbitMQ cluster status:
salt -C 'I@rabbitmq:server' cmd.run 'rabbitmqctl cluster_status'
Example of system response:
msg03.multinode-ha.int:
Cluster status of node rabbit@msg03
[{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
{running_nodes,[rabbit@msg01,rabbit@msg02,rabbit@msg03]},
{cluster_name,<<"openstack">>},
{partitions,[]},
{alarms,[{rabbit@msg01,[]},{rabbit@msg02,[]},{rabbit@msg03,[]}]}]
msg01.multinode-ha.int:
Cluster status of node rabbit@msg01
[{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
{running_nodes,[rabbit@msg03,rabbit@msg02,rabbit@msg01]},
{cluster_name,<<"openstack">>},
{partitions,[]},
{alarms,[{rabbit@msg03,[]},{rabbit@msg02,[]},{rabbit@msg01,[]}]}]
msg02.multinode-ha.int:
Cluster status of node rabbit@msg02
[{nodes,[{disc,[rabbit@msg01,rabbit@msg02,rabbit@msg03]}]},
{running_nodes,[rabbit@msg03,rabbit@msg01,rabbit@msg02]},
{cluster_name,<<"openstack">>},
{partitions,[]},
{alarms,[{rabbit@msg03,[]},{rabbit@msg01,[]},{rabbit@msg02,[]}]}]
Restart all OpenStack API services and agents.