Skip to content

Commit e2b6ac3

Browse files
michaelklishinmichaelklishin
authored
Update inter-node peer verification example README
1 parent 73accce commit e2b6ac3

File tree

1 file changed

+26
-1
lines changed

1 file changed

+26
-1
lines changed

docs/examples/mtls-inter-node/README.md

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,18 @@
11
# Mutual TLS Peer Verification (Mutual TLS Authentication, mTLS) for Inter-node Traffic Example
22

3+
This example is an addition to two other TLS-related examples:
4+
5+
* [basic TLS example](../tls)
6+
* [mutual peer verification ("mTLS") for client connections](../mtls)
7+
8+
It is recommended to get familiar at least with the basics of [TLS setup in RabbitMQ](https://www.rabbitmq.com/ssl.html)
9+
before going over this example, in particular with [how TLS peer verification works](https://www.rabbitmq.com/ssl.html#peer-verification).
10+
While those guides focus on client connections to RabbitMQ, the general verification process is identical
11+
when performed by two RabbitMQ nodes that attempt to establish a connection.
12+
13+
14+
## Enabling Peer Verification for Inter-node Connections
15+
316
When a clustered RabbitMQ node connects to its cluster peer, both
417
can [verify each other's certificate chain](https://www.rabbitmq.com/ssl.html#peer-verification) for trust.
518

@@ -33,7 +46,7 @@ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/relea
3346
./setup.sh
3447
```
3548

36-
To validate that RabbitMQ nodes connect over TLS you can run the following checks:
49+
To validate that RabbitMQ nodes connect over TLS, run the following checks:
3750

3851
```shell
3952
# check that the distribution port has TLS enabled (this command should return `Verification: OK`)
@@ -42,3 +55,15 @@ kubectl exec -it mtls-inter-node-server-0 -- bash -c 'openssl s_client -connect
4255
# check that distribution uses TLS (this command should return `{ok,[["inet_tls"]]}`)
4356
kubectl exec -it mtls-inter-node-server-0 -- rabbitmqctl eval 'init:get_argument(proto_dist).'
4457
```
58+
59+
60+
## Troubleshooting
61+
62+
RabbitMQ has a guide that explains a methodology for [troubleshooting TLS](https://www.rabbitmq.com/troubleshooting-ssl.html) using
63+
OpenSSL command line tools. This methodology helps narrow down connectivity issues quicker.
64+
65+
In the context of Kubernetes, OpenSSL CLI tools can be run on RabbitMQ nodes using `kubectl exec`, e.g.:
66+
67+
``` shell
68+
kubectl exec -it tls-server-0 -- openssl s_client -connect tls-nodes.examples.svc.cluster.local:25672 </dev/null
69+
```

0 commit comments

Comments
 (0)