From a4adeda02b2b97810ca50b462202d28f8df3b286 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Mon, 11 Feb 2019 11:59:21 +0100 Subject: [PATCH 1/2] Update RabbitMQ config section option for changes in https://github.com/StackStorm/st2/pull/4541. --- docs/source/install/config/config.rst | 47 ++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/docs/source/install/config/config.rst b/docs/source/install/config/config.rst index 2372706ad..e2247a587 100644 --- a/docs/source/install/config/config.rst +++ b/docs/source/install/config/config.rst @@ -98,24 +98,55 @@ In :github_st2:`/etc/st2/st2.conf ` include the following se The ``#RMQ_VHOST`` property is optional and can be left blank. -|st2| also supports SSL/TLS to encrypt RabbitMQ connections. To enable SSL, you need to pass -``?ssl=true`` query parameter at the end of the connection URL. +|st2| also supports SSL/TLS to encrypt RabbitMQ connections. To enable SSL, you need to set +``messaging.ssl`` config option to ``True`` or pass ``?ssl=true`` query parameter at the end of +the connection URL string. For example: +.. code-block:: ini + + url = amqp://guest:guest@127.0.0.1:5671/ + ssl = True + +or + + .. code-block:: ini url = amqp://guest:guest@127.0.0.1:5671/?ssl=true -Keep in mind that RabbitMQ server needs to be configured to enable TLS support. -For more information, refer to the official documentation - `Enabling TLS Support in RabbitMQ -`_. +In addition to encrypted connection to RabbitMQ, some other SSL related options which are +documented below are also supported: + +.. code-block:: ini + + [messaging] + ... + ssl = + ssl_keyfile = + ssl_certfile = + ssl_cert_reqs = + ssl_ca_certs = + login_method = + +* ``ssl`` - Enable or disable connection over TLS/SSL or not. Default is False. +* ``ssl_keyfile`` - Private keyfile used to identify the local connection against RabbitMQ. If + specified ssl is assumed to be True. +* ``ssl_certfile`` - Certificate file used to identify the local connection. If specified ssl is + assumed to be True. +* ``ssl_cert_reqs`` - Specifies whether a certificate is required from the other side of the + connection, and whether it will be validated if provided. +* ``ssl_ca_certs`` - Certificates file containing a set of concatenated CA certificates, which are + used to validate certificates passed from RabbitMQ. +* ``login_method`` - Login method to use. Default is ``PLAIN``. Other possible + options are ``AMQPLAIN`` and ``EXTERNAL``. .. note:: - At the moment TLS / SSL is only supported for secure connections to RabbitMQ - server. Peer verification and client side certificate authentication is - currently not supported. + RabbitMQ doesn't expose an SSL / TLS listener by default and needs to be configured to enable + TLS support. For more information, refer to the official documentation - + `Enabling TLS Support in RabbitMQ `_. .. _ref-rabbitmq-cluster-config: From 44f165debf41d83d12497f6c13bf8b98cc366f23 Mon Sep 17 00:00:00 2001 From: Lindsay Hill Date: Mon, 11 Feb 2019 15:51:30 -0800 Subject: [PATCH 2/2] Minor tweak Made it more clear that options for configuring RabbitMQ SSL are in `[messaging]` section --- docs/source/install/config/config.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/source/install/config/config.rst b/docs/source/install/config/config.rst index e2247a587..fc32e8e5e 100644 --- a/docs/source/install/config/config.rst +++ b/docs/source/install/config/config.rst @@ -106,6 +106,7 @@ For example: .. code-block:: ini + [messaging] url = amqp://guest:guest@127.0.0.1:5671/ ssl = True @@ -114,6 +115,7 @@ or .. code-block:: ini + [messaging] url = amqp://guest:guest@127.0.0.1:5671/?ssl=true In addition to encrypted connection to RabbitMQ, some other SSL related options which are