Introduction
RabbitMQ is a widely used open-source message-broker written in the Erlang programming language. Built on top of the Open Telecom Platform (OTP) framework, it meets the needs of clustering and fail-over. Furthermore, its plugin architecture makes it possible for RabbitMQ to support Advanced Message Queuing Protocol (AMQP), Streaming Text Oriented Messaging Protocol (STOMP), MQ Telemetry Transport (MQTT), and other protocols as well.
This article explains how to install RabbitMQ on a Rcs CentOS 7 server instance.
Prerequisites
- A CentOS 7 server.
- Follow Rcs's best practices guides to create a sudo user and update the CentOS server.
1. Install Erlang
Because RabbitMQ is written in Erlang, you need to install Erlang before installing RabbitMQ.
At the time of this writing, the latest stable version of RabbitMQ for CentOS 7 is 3.8.19, which requires Erlang version 23.2 or later. If you want to install a newer version of RabbitMQ, refer to the RabbitMQ Erlang Version Requirements page for which Erlang versions are compatible.
The RabbitMQ team recommends Erlang version 24 because it offers significant throughput improvements for many workloads. But Erlang version 23 has better compatibility because some community plugins and tools may be incompatible with Erlang 24.
Log in to the server as a non-root sudo user via SSH.
Enable the Extra Packages for Enterprise Linux (EPEL) repository because it has packages required by Erlang:
$ sudo yum -y install epel-release
Choose one of the following options to download the Erlang version you want.
Option 1: Download Erlang 23.3.1, the latest version in the 23.x line at the time of this writing.
$ cd ~ && wget https://packages.erlang-solutions.com/erlang/rpm/centos/7/x86_64/esl-erlang_23.3.1-1~centos~7_amd64.rpm
Option 2: Download Erlang 24.0.2, the latest version in the 24.x line at the time of this writing.
$ cd ~ && wget https://packages.erlang-solutions.com/erlang/rpm/centos/7/x86_64/esl-erlang_24.0.2-1~centos~7_amd64.rpm
Option 3: Download a newer version compatible with RabbitMQ if it is available.
Go to the Erlang Solutions download page. Select the Erlang OTP package, CentOS from the Platforms list, and Standard from the Distribution list. Then click VIEW ALL to list all versions for CentOS. Select the version you want. Copy the download link corresponding to CentOS 7 (64-bit). Download it using
wget
as shown above.
Install the downloaded package:
$ sudo yum -y install esl-erlang*.rpm
Open the Erlang shell to verify the installation:
$ erl
You should see something like this:
Erlang/OTP 23 [erts-11.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:1] [hipe]
Eshell V11.2 (abort with ^G)
1>
Press Ctrl + C twice to quit the Erlang shell.
2. Install RabbitMQ
Download the latest version of RabbitMQ, which is 3.8.19 at the time of this writing:
$ wget https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.8.19/rabbitmq-server-3.8.19-1.el7.noarch.rpm
You can always find the latest version of RabbitMQ on its releases page on GitHub. Make sure to choose the link that ends with el7.noarch.rpm
.
Install the downloaded package:
$ sudo yum -y install rabbitmq-server*.rpm
Start the RabbitMQ service:
$ sudo systemctl start rabbitmq-server.service
Enable RabbitMQ to start on system boot:
$ sudo systemctl enable rabbitmq-server.service
Check the status of RabbitMQ:
$ sudo rabbitmqctl status
To enable access to the RabbitMQ management web UI and other common features, update the firewall rules to allow inbound TCP traffic on ports 4369, 25672, 5671, 5672, 15672, 61613, 61614, 1883, and 8883.
$ sudo firewall-cmd --zone=public --permanent --add-port=4369/tcp --add-port=25672/tcp --add-port=5671-5672/tcp --add-port=15672/tcp --add-port=61613-61614/tcp --add-port=1883/tcp --add-port=8883/tcp
Reload the current firewall session to apply the change:
$ sudo firewall-cmd --reload
3. Enable RabbitMQ Management Plugin
The RabbitMQ management plugin offers an HTTP API, a web UI, and a command-line tool for managing and monitoring RabbitMQ servers. Although the web UI is quite basic, it makes it easy to monitor the recent metrics of the RabbitMQ server.
Enable RabbitMQ management plugin:
$ sudo rabbitmq-plugins enable rabbitmq_management
During activation, the plugin creates a default administrator account named guest
. Delete this account to avoid security issues:
$ sudo rabbitmqctl delete_user guest
Add a new account for accessing the web UI. In the following commands, replace admin with your desired account name:
$ sudo rabbitmqctl add_user admin
Enter a strong password for the admin
account when prompted. You can use a free password manager like KeePassXC or an online tool such as Random Password Generator to generate strong passwords.
Tag admin
as an administrator account:
$ sudo rabbitmqctl set_user_tags admin administrator
Grant appropriate permissions to the admin
account:
$ sudo rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"
Now you can use the admin
account to access the web UI. But if you own a valid domain name, you should follow the next step to configure HTTPS for the web UI at no cost. If not, you can jump straight to step 5 to access the web UI.
4. (Optional) Configure HTTPS for RabbitMQ Management Web UI
This step assumes that you want to configure HTTPS for the web UI with the domain name example.com, and you have pointed it to the server IP address. Make sure to replace example.com in the code examples with your domain name.
Install Certbot with Snap
Certbot is a program used to get free TLS certificates from Let's Encrypt, a certificate authority.
Snap Store is an app store for Linux with millions of users. It makes it easy to get the latest version of Certbot with features like automatic certificate renewal. The package that provides everything you need to work with the Snap Store is snapd.
Install the snapd package:
$ sudo yum -y install snapd
Enable the snapd service:
$ sudo systemctl enable --now snapd.socket
Enable classic snap support:
$ sudo ln -s /var/lib/snapd/snap /snap
Get the latest version of snapd core:
$ sudo snap install core && sudo snap refresh core
Do not worry if you get the following error:
error: too early for operation, device not yet seeded or device model not acknowledged
After installing snapd, it may take a little while to initialize its environment. So, wait a while before retrying the above command.
Install Certbot:
$ sudo snap install --classic certbot
Make the certbot
command globally available:
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Get a Let's Encrypt Certificate
Certbot supports multiple modes for getting certificates. You will use the standalone mode to get a certificate for your domain name because this mode does not require a web server such as Nginx or Apache.
To confirm that you control the domain name, Certbot needs to bind to port 80 to perform domain validation. Update the firewall rules to allow inbound TCP traffic on port 80:
$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
Reload the current firewall session to apply the change:
$ sudo firewall-cmd --reload
Now you can run the following command to get a Let's Encrypt certificate:
$ sudo certbot certonly --standalone -d example.com -m admin@example.com --agree-tos
You may need to answer a question about sharing your email with the Electronic Frontier Foundation.
When finished, Certbot places all the files related to the certificate in the /etc/letsencrypt/archive/example.com
folder and creates corresponding symlinks in the /etc/letsencrypt/live/example.com
folder for your convenience. Those symlinks are:
$ sudo ls /etc/letsencrypt/live/example.com
cert.pem chain.pem fullchain.pem privkey.pem README
You will use those symlinks in the next step to install the certificate.
Install the Certificate
Due to security reasons, only the root
account can access the /etc/letsencrypt/archive
and /etc/letsencrypt/live
folders. But the rabbitmq
account needs to read files inside those folders to configure HTTPS. A reasonable solution is to clone those folders into a new folder for the rabbitmq
account.
Create a new folder:
$ sudo mkdir /etc/rabbitmq_letsencrypt
Clone the /etc/letsencrypt/archive
and /etc/letsencrypt/live
folders into the new folder:
$ sudo cp -r /etc/letsencrypt/archive /etc/rabbitmq_letsencrypt
$ sudo cp -r /etc/letsencrypt/live /etc/rabbitmq_letsencrypt
Make rabbitmq
the owner of the new folder so that RabbitMQ can read all the files related to the certificate:
$ sudo chown -R rabbitmq:rabbitmq /etc/rabbitmq_letsencrypt
Create a configuration file to store the TLS settings. This tutorial uses nano
as the editor, but you can use another editor such as vim
.
$ sudo nano /etc/rabbitmq/rabbitmq.conf
Paste the following into the editor:
management.ssl.port = 15672
management.ssl.cacertfile = /etc/rabbitmq_letsencrypt/live/example.com/chain.pem
management.ssl.certfile = /etc/rabbitmq_letsencrypt/live/example.com/cert.pem
management.ssl.keyfile = /etc/rabbitmq_letsencrypt/live/example.com/privkey.pem
management.ssl.honor_cipher_order = true
management.ssl.honor_ecc_order = true
management.ssl.client_renegotiation = false
management.ssl.secure_renegotiate = true
management.ssl.versions.1 = tlsv1.3
management.ssl.versions.2 = tlsv1.2
management.ssl.versions.3 = tlsv1.1
management.ssl.ciphers.1 = TLS_AES_256_GCM_SHA384
management.ssl.ciphers.2 = TLS_AES_128_GCM_SHA256
management.ssl.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256
management.ssl.ciphers.4 = TLS_AES_128_CCM_SHA256
management.ssl.ciphers.5 = TLS_AES_128_CCM_8_SHA256
management.ssl.ciphers.6 = ECDHE-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.7 = ECDHE-RSA-AES256-GCM-SHA384
management.ssl.ciphers.8 = ECDHE-ECDSA-AES256-SHA384
management.ssl.ciphers.9 = ECDHE-RSA-AES256-SHA384
management.ssl.ciphers.10 = ECDH-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.11 = ECDH-RSA-AES256-GCM-SHA384
management.ssl.ciphers.12 = ECDH-ECDSA-AES256-SHA384
management.ssl.ciphers.13 = ECDH-RSA-AES256-SHA384
management.ssl.ciphers.14 = DHE-RSA-AES256-GCM-SHA384
Save the configuration file and exit.
Automate Renewal
Let's Encrypt certificates are valid for 90 days, so you must renew your TLS certificate at least once every three months. The Certbot installation automatically created a systemd timer unit to automate this task. Run the following command to verify the timer is active:
$ sudo systemctl list-timers | grep 'certbot\|ACTIVATES'
After renewing the certificate, Certbot will not automatically restart the RabbitMQ service, so RabbitMQ management web UI still uses the old certificate. You must write a script inside the /etc/letsencrypt/renewal-hooks/deploy
folder to restart the RabbitMQ service.
Open your text editor:
$ sudo nano /etc/letsencrypt/renewal-hooks/deploy/restart-rabbitmq.sh
Paste the following into the editor:
#!/bin/bash
# Copy new certificate files for RabbitMQ
cp -ru /etc/letsencrypt/archive /etc/rabbitmq_letsencrypt
cp -ru /etc/letsencrypt/live /etc/rabbitmq_letsencrypt
# Make rabbitmq the owner of the new files
chown -R rabbitmq:rabbitmq /etc/rabbitmq_letsencrypt
# Restart the RabbitMQ service
/usr/bin/systemctl restart rabbitmq-server.service
Save and exit. Then make the script executable.
$ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-rabbitmq.sh
Test the renewal process with a dry run.
$ sudo certbot renew --dry-run
5. Access RabbitMQ Management Web UI
You have completed the RabbitMQ installation. Now restart the server to see if everything is working correctly:
$ sudo reboot
Wait a moment for the system to boot.
Open the link https://example.com:15672/
in your browser if you have configured HTTPS in step 4. If not, open the link http://192.0.2.100:15672/
, replace 192.0.2.100 with your server IP address.
The RabbitMQ Management screen appears. Log in with the credentials you had specified earlier. You will see the RabbitMQ metrics after logging in.