SSL for RabbitMQ using Kamatera Hosting (node.js)

Ryan Cocks
Dec 11, 2019 · 2 min read

I was recently playing with https://www.kamatera.com/ for hosting cheap databases etc while prototyping.

It’s cheap at $4/mo for small burstable instances. 500mb of RAM, max 10% average monthly CPU load and 10GB storage.

However the Web interface for your services leaves a lot to be desired and there appears to be no documentation.

No doubt if I factored in the cost of my time I would have been a lot better off to use instances 3x the price on Digitial Ocean and avoid having to grapple with Kamatera, I must just like pain (I don’t).

First, have a read of http://www.squaremobius.net/amqp.node/ssl.html RabbitMQ which appears to be the suggested reading on ssl options for amqp.connect()

As I was just using SSL to encrypt the connection (not to verify the identity of client/server) all I need to do is add the ca to the passed options.

Finding the ca on a Kamatera RabbitMQ instance goes like this:

Log in to the node, the root password is the one you provided when creating the node.

You will get a message on login telling you the SSL config is in /etc/ssl .

First, from https://www.rabbitmq.com/troubleshooting-ssl.html, we check to see if RabbitMQ is listening for TLS connections:

# rabbitmq-diagnostics listeners
Asking node rabbit@rabbitmq1 to report its protocol listeners ...
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 15672, protocol: http, purpose: HTTP API

So, Kamatera’s RabbitMQ appliance isn’t listening for SSL connections out of the box. Next let’s have a look for our config file location:

# grep 'config file' /var/log/rabbitmq/*.log
/var/log/rabbitmq/rabbit@rabbitmq.log: config file(s) : (none)
/var/log/rabbitmq/rabbit@rabbitmq.log: config file(s) : (none)

Let’s create a config file:

# cat > /etc/rabbitmq/rabbitmq.conf <<END
listeners.ssl.default = 5671

ssl_options.cacertfile = /etc/ssl/certs/ca-certificates.crt
ssl_options.certfile = /etc/ssl/certs/server.crt
ssl_options.keyfile = /etc/ssl/private/server.key
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
END
# service rabbitmq-server restart

You now need to make sure rabbitmq can read the private key file. I was a bit hacky here as it was a dev machine:

cd /etc/ssl
chmod o+rx private
cd private
chmod o+r server.key

Then make sure you connect on port 5671 and pass the ca param to amqp.connect and this connects but it gives DEPTH_ZERO_SELF_SIGNED_CERT on the client connection. This means the ca’s are wrong:

amqp.connect({
protocol: "amqps", // Don't be a fool, encrypt traffic
port: 5671,
hostname: amqp_server,
username: amqp_user,
password: amqp_password,
locale: "en_US",
vhost,
ca: splitca("./ca-certificates.crt")
},

Note the ./ca-certificates.crt has been copied from /etc/ssl/certs on the rabbitmq server to the machine connecting.

You can add:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; // Avoids DEPTH_ZERO_SELF_SIGNED_CERT error for self-signed certs

before the call to amqp.connect but this will leave you open to man in the middle attacks.

I will contact Kamatera support to see what is missing… to be continued…

Written by

A passionate software developer and blockchain evangelist. Loves making high quality scaleable production systems and hacking together neat prototypes.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade