Store RabbitMQ cert/key in config dir

Storing rabbit's private key in /etc/ssl/private causes problems since that directory (and the files within it) can only be accessed by root on Ubuntu systems. Storing the key within the RabbitMQ configuration directory would allow the key to be read by the 'rabbitmq' user. The key can also be set to mode 0600 as well by moving its location and changing it to be owned by the rabbitmq user. Closes-bug: 1506992 Change-Id: Iede0748b57a86b33879d759505dd8f80476b574c (cherry picked from commit 5ea3dba04e)
2015-10-16 14:19:18 -05:00 · 2015-10-16 14:19:18 -05:00 · 6c669034f3
parent 72eaf7c5f2
commit 6c669034f3
2 changed files with 8 additions and 8 deletions
--- a/playbooks/roles/rabbitmq_server/defaults/main.yml
+++ b/playbooks/roles/rabbitmq_server/defaults/main.yml
@ -55,9 +55,9 @@ rabbitmq_plugins:
    state: enabled

 # RabbitMQ SSL support
-rabbitmq_ssl_cert: /etc/ssl/certs/rabbitmq.pem
-rabbitmq_ssl_key: /etc/ssl/private/rabbitmq.key
-rabbitmq_ssl_ca_cert: /etc/ssl/certs/rabbitmq-ca.pem
+rabbitmq_ssl_cert: /etc/rabbitmq/rabbitmq.pem
+rabbitmq_ssl_key: /etc/rabbitmq/rabbitmq.key
+rabbitmq_ssl_ca_cert: /etc/rabbitmq/rabbitmq-ca.pem

 # Set rabbitmq_ssl_self_signed_regen to true if you want to generate a new
 # SSL certificate for RabbitMQ when this playbook runs.  You can also change
--- a/playbooks/roles/rabbitmq_server/tasks/rabbitmq_ssl_user_provided.yml
+++ b/playbooks/roles/rabbitmq_server/tasks/rabbitmq_ssl_user_provided.yml
@ -20,12 +20,12 @@
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "root"
-    group: "root"
+    owner: "rabbitmq"
+    group: "rabbitmq"
    mode: "{{ item.mode }}"
  with_items:
    - { src: "{{ rabbitmq_user_ssl_cert }}", dest: "{{ rabbitmq_ssl_cert }}", mode: "0644" }
-    - { src: "{{ rabbitmq_user_ssl_key }}", dest: "{{ rabbitmq_ssl_key }}", mode: "0640" }
+    - { src: "{{ rabbitmq_user_ssl_key }}", dest: "{{ rabbitmq_ssl_key }}", mode: "0600" }
  when: rabbitmq_user_ssl_cert is defined and rabbitmq_user_ssl_key is defined
  tags:
    - rabbitmq-configs
@ -37,8 +37,8 @@
  copy:
    src: "{{ rabbitmq_user_ssl_ca_cert }}"
    dest: "{{ rabbitmq_ssl_ca_cert }}"
-    owner: "root"
-    group: "root"
+    owner: "rabbitmq"
+    group: "rabbitmq"
    mode: "0644"
  when: rabbitmq_user_ssl_ca_cert is defined
  tags: