# enable rabbitmq ssl port
rabbitmq::ssl: true
rabbitmq::ssl_cert: "%{::pki_public_dir}/mydomain.com.pem"
rabbitmq::ssl_cacert: /etc/pki/tls/certs/ca-bundle.crt
rabbitmq::ssl_key: "%{::pki_private_dir}/mydomain.com.key"
rabbitmq::ssl_versions: [tlsv1.2, tlsv1.1]
rabbitmq::ssl_ciphers: ['dhe_rsa,aes_256_cbc,sha256']
# don't use client ssl certificates
rabbitmq::ssl_verify: verify_none
rabbitmq::ssl_fail_if_no_peer_cert: false
Only caveat is that if your key file is 0400, and it should be, the rabbitmq user which RabbitMQ runs as does not
have read access to the private key. No known workaround at the time other than setting 0444.
It may be possible to just stand up NGINX in front of RabbitMQ as a proxy and TLS termination.
Cipher lists can be obtained via:
$ sudo rabbitmqctl eval 'ssl:cipher_suites().'
$ sudo rabbitmqctl eval 'ssl:cipher_suites(openssl).'
More information is available in the RabbitMQ docs.