Improve the way it works

* Separate the generation of client certificates from server ones
* Create a trust store for clients
* Add comments about the different steps related to certificates
* Update the default image name
* Write a real readme file

Author: vincent-zurczak

.gitignore

@@ -1,3 +1,4 @@
 *~
 create_image.sh
 delete_image.sh
+.project

Dockerfile

@@ -1,26 +1,23 @@
 FROM rabbitmq:3.6.6
 
-RUN apt-get update 
-RUN apt-get install openssl -y  \ 
-&& mkdir -p /home/testca/certs \
-&& mkdir -p /home/testca/private \
-&& chmod 700 /home/testca/private \
-&& echo 01 > /home/testca/serial \
-&& touch /home/testca/index.txt
+RUN apt-get update \
+	&& apt-get install openssl -y  \ 
+	&& mkdir -p /home/testca/certs \
+	&& mkdir -p /home/testca/private \
+	&& chmod 700 /home/testca/private \
+	&& echo 01 > /home/testca/serial \
+	&& touch /home/testca/index.txt
 
 COPY rabbitmq.config /etc/rabbitmq/rabbitmq.config
 COPY openssl.cnf /home/testca
-
+COPY prepare-server.sh generate-client-keys.sh /home/
 
 RUN mkdir -p /home/server \
-&& mkdir -p /home/client
-
-VOLUME /home/client
-
-COPY ssl.sh /home
-
-RUN chmod +x /home/ssl.sh
-RUN /bin/bash /home/ssl.sh
+	&& mkdir -p /home/client \
+	&& chmod +x /home/prepare-server.sh /home/generate-client-keys.sh
 
-RUN /etc/init.d/rabbitmq-server restart
+RUN /bin/bash /home/prepare-server.sh \
+	&& /etc/init.d/rabbitmq-server restart
 
+CMD /bin/bash /home/generate-client-keys.sh && rabbitmq-server
+#sleep infinity

README.md

@@ -1,10 +1,67 @@
-# docker-rabbitmq-ssl
+# RabbitMQ with SSL Configuration in Docker
 
-This repository has as goal to build a rabbitmq container with SSL. 
-## To build this image:
-1. Go to `tests` directory:  ``cd tests``
-2. Run the script `build.sh`: ``./build.sh``
+> RabbitMQ and SSL made easy for tests.
 
-The generated image contains SSL certificates on client side in `/home/client`. This directory is mounted as a volume to allowing the sharing of certificates.
+This repository aims at building a RabbitMQ container with SSL enabled.  
+Generation of the server certificates, as well as server configuration, are performed during
+the image's build. A client certificate is generated when a container is created from this image.
 
+It is recommended to mount a volume so that the client certificate can be reached from the
+host system. Client certificates are generated under the **/home/client** directory.
 
+
+## To build this image
+
+```
+cd tests && ./build.sh
+```
+
+The generated image contains SSL certificates for the server side.
+
+
+## To run this image
+
+```
+mkdir -p /tmp/docker-test \
+	&& rm -rf /tmp/docker-test/* \
+	&& docker run -d --rm -p 12000:5671 -v /tmp/docker-test:/home/client rabbitmq-with-ssl:latest
+```
+
+Here, we bind the port 5671 from the container on the 12000 port on the local host.  
+We also share a local directory with the container, to retrieve the client certificate.
+You can verify client certificates were generated with `ls /tmp/docker-test`. This directory contains
+a key store and a trust store, both in the PKCS12 format.
+
+
+## To stop the container
+
+`docker stop <container-id>` will stop the container.  
+If you kept the `--rm` option, it will be deleted directly.
+
+
+## To run quick tests
+
+```
+cd tests && ./test.sh
+```
+
+
+## To diagnose troubles
+
+* Verify the client certificates were correctly generated: `ls -l /tmp/docker-test`
+* Inspect the container: `docker exec -ti <container-id> /bin/bash`
+* Check the logs: `docker logs <container-id>`
+* Verify the SSL connection works: `openssl s_client -connect 127.0.0.1:12000 -key /tmp/docker-test/key.pem`  
+This last command will result in `Verify return code: 19 (self signed certificate in certificate chain)`, which is normal.
+We should specify the **-CApath**, which is inside the Docker container. This test is enough to verify SSL is enabled and
+the server is reachable from the host system.
+
+
+## Quick overview of the content
+
+* **Dockerfile**: the file with instructions to create a Docker image.
+* **rabbitmq.config**: the configuration file for RabbitMQ.
+* **openssl.cnf**: a configuration file used during certificates creation.
+* **prepare-server.sh**: a script during the generation of the image and that deals with server certificates.
+* **generate-client-keys.sh**: a script that is run by default when a container is created from this image.
+It deals with the generation of client certificates.

generate-client-keys.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -eu
+
+#
+# Prepare the client's stuff.
+#
+cd /home/client
+
+# Generate a private RSA key.
+openssl genrsa -out key.pem 2048
+
+# Generate a certificate from our private key.
+openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes
+
+# Sign the certificate with our CA.
+cd /home/testca
+openssl ca -config openssl.cnf -in /home/client/req.pem -out /home/client/cert.pem -notext -batch -extensions client_ca_extensions
+
+# Create a key store that will contain our certificate.
+cd /home/client
+openssl pkcs12 -export -out key-store.p12 -in cert.pem -inkey key.pem -passout pass:roboconf
+
+# Create a trust store that will contain the certificate of our CA.
+openssl pkcs12 -export -out trust-store.p12 -in /home/testca/cacert.pem -inkey /home/testca/private/cakey.pem -passout pass:roboconf

openssl.cnf

@@ -52,4 +52,3 @@ extendedKeyUsage = 1.3.6.1.5.5.7.3.2
 basicConstraints = CA:false
 keyUsage = keyEncipherment
 extendedKeyUsage = 1.3.6.1.5.5.7.3.1
-

ssl.sh prepare-server.sh

@@ -2,27 +2,35 @@
 
 set -eu
 
+#
+# Prepare the certificate authority (self-signed).
+#
 cd /home/testca
+
+# Create a self-signed certificate that will serve a certificate authority (CA).
+# The private key is located under "private".
 openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
+
+# Encode our certificate with DER.
 openssl x509 -in cacert.pem -out cacert.cer -outform DER
 
-# On server side
+
+
+#
+# Prepare the server's stuff.
+#
 cd /home/server
+
+# Generate a private RSA key.
 openssl genrsa -out key.pem 2048
+
+# Generate a certificate from our private key.
 openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
+
+# Sign the certificate with our CA.
 cd /home/testca
 openssl ca -config openssl.cnf -in /home/server/req.pem -out /home/server/cert.pem -notext -batch -extensions server_ca_extensions
-cd /home/server
-openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:roboconf
 
-# On client side
-cd /home/client
-openssl genrsa -out key.pem 2048
-openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes
-cd /home/testca
-openssl ca -config openssl.cnf -in /home/client/req.pem -out /home/client/cert.pem -notext -batch -extensions client_ca_extensions
-cd /home/client
+# Create a key store that will contain our certificate.
+cd /home/server
 openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:roboconf
-
-# Restart rabbitmq server
-#service rabbitmq-server restart

rabbitmq.config

@@ -8,10 +8,8 @@
                     {certfile,"/home/server/cert.pem"},
                     {keyfile,"/home/server/key.pem"},
                     {verify,verify_peer},
-                    {fail_if_no_peer_cert,false},
+                    {fail_if_no_peer_cert,true},
                     {versions, ['tlsv1.2', 'tlsv1.1']}
                 ]}
-
         ] }
-
 ].

tests/build.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-IMAGE_NAME="test-rabbitmq-ssl"
+IMAGE_NAME="rabbitmq-with-ssl"
 
 docker build --no-cache=true -t ${IMAGE_NAME} ..

tests/test.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Launch a Docker container from rabbitmq-ssl image 
-IMAGE_NAME=test-rabbitmq-ssl
+IMAGE_NAME=rabbitmq-with-ssl
 SUCCESS=true
 TMP_DIR=/tmp/rabbitmq-ssl/
 mkdir -p $TMP_DIR