Rabbit can't see my certs for the management UI

[Jleagle]

Hi, I am trying to use SSL to connect to the management UI by setting the following environment variables through docker-compose.

- RABBITMQ_MANAGEMENT_SSL_CACERTFILE=/etc/letsencrypt/live/x/fullchain.pem
- RABBITMQ_MANAGEMENT_SSL_CERTFILE=/etc/letsencrypt/live/x/cert.pem
- RABBITMQ_MANAGEMENT_SSL_KEYFILE=/etc/letsencrypt/live/x/privkey.pem

I have my lets encrypt certificates in the container with a volume.

When I run the container, Rabbit adds this to the log:

error: files specified, but missing

• /etc/letsencrypt/live/x/fullchain.pem (RABBITMQ_MANAGEMENT_SSL_CACERTFILE)
• /etc/letsencrypt/live/x/cert.pem (RABBITMQ_MANAGEMENT_SSL_CERTFILE)
• /etc/letsencrypt/live/x/privkey.pem (RABBITMQ_MANAGEMENT_SSL_KEYFILE)

But when i exec in, i can see those files and they have read permission. I thought it might not be working because these are symlinks and the entrypoint checks for a file specifically (https://github.com/docker-library/rabbitmq/blob/master/3.7/alpine/docker-entrypoint.sh#L135) Maybe this should use -e?

I changed the environment variables to point to the actual files but still get errors:

error: files specified, but missing

• /etc/letsencrypt/archive/x/fullchain2.pem (RABBITMQ_MANAGEMENT_SSL_CACERTFILE)
• /etc/letsencrypt/archive/x/cert2.pem (RABBITMQ_MANAGEMENT_SSL_CERTFILE)
• /etc/letsencrypt/archive/x/privkey2.pem (RABBITMQ_MANAGEMENT_SSL_KEYFILE)
• /etc/letsencrypt/archive/gx/fullchain2.pem (RABBITMQ_SSL_CACERTFILE)
• /etc/letsencrypt/archive/x/cert2.pem (RABBITMQ_SSL_CERTFILE)
• /etc/letsencrypt/archive/x/privkey2.pem (RABBITMQ_SSL_KEYFILE)

Again i can exec into the container and cat them fine.

Am i doing something wrong? Thanks.

[tianon]

Are they (and their directories) readable by the "rabbitmq" user?

[Jleagle]

Here is my dir listings:

drwxr-xr-x root:root etc
drwxr-xr-x 1001:1001 letsencrypt
drwx------ 1001:1001 live
drwxr-xr-x 1001:1001 x
lrwxrwxrwx 1001:1001 cert.pem -> ../../archive/gamedb.online/cert2.pem

I was only looking at the bottom level dir permissions.

Rabbit seems to be on user ID 101 too.

bash-4.4# id rabbitmq
uid=100(rabbitmq) gid=101(rabbitmq) groups=101(rabbitmq),101(rabbitmq)

What do I set the directories on the host to be?

[tianon]

Still looks like a unix permissions issue -- your host has 1001 and RabbitMQ is on 101 (which are different users).

One thing you can do to test is to use docker exec -u rabbitmq -it -w /etc/letsencrypt/archive bash to poke around inside the image as the RabbitMQ user to determine file readability.

Given that this doesn't seem to be something we can fix in the image, I'm going to close. 👍

[tianon]

(You could also use #125 to run rabbitmq itself as user 1001 to match your certificate files.)