2

We are using the rabbitmq-management REST API for different operations on the rabbitmq's entities (queues/exchanges). The standart authentication by login/password works fine, but for some reasons we would like to use password-less authentication (based on ssl certificates). According to the documentation (https://www.rabbitmq.com/management.html) it looks like there is that possibility.

But if we try to configure the plugin:

advanced.config

{rabbitmq_management,
  [{listener, [{port,     15671},
               {ssl,      true},
               {ssl_opts, [{cacertfile, "c:/Services/certs/cacert.pem"},
                           {certfile,   "c:/Services/certs/cert.pem"},
                           {keyfile,    "c:/Services/certs/key.pem"}]}
              ]}
  ]
}

Our client's .NET app

public Foo(string url, X509Certificate clientCert)
{
    var handler = new HttpClientHandler();
    handler.ClientCertificates.Add(clientCert);

    _httpClient = new HttpClient(handler);

    var result = await _httpClient.GetAsync(uri)
 }

We get the following (Fiddler session):

  1. | Tunnel to | HTTP/1.1 200 Connection Established (A SSLv3-compatible ClientHello handshake was found)
  2. | HostName | HTTP/1.1 401 Unauthorized

Is it possible to use certificate based authentication for the rabbitmq-management plugin? If Yes, could someone give any samples or a documentation link what we have to do?

colidyre
  • 4,170
  • 12
  • 37
  • 53
hujg
  • 23
  • 4

1 Answers1

2

I recently answered this question on the rabbitmq-users mailing list: link.

The short answer is that you can configure the server to require a client certificate and validate that it was signed by a trusted root cert, but you will still have to provide a username and password - the user won't be extracted from the certificate.

NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.

Pang
  • 9,564
  • 146
  • 81
  • 122
Luke Bakken
  • 8,993
  • 2
  • 20
  • 33