RabbitMQ with SSL, STOMP, and Websockets

I had fun this weekend setting up RabbitMQ with STOMP, over Websocket, over SSL. By fun, I mean it took 2 days, 8 hours and a great deal of head-banging on the wall.

I wanted to configure SSL on the two services I mainly use RabbitMQ for: STOMP, and STOMP over Websocket. (I set it up with AMQP too, but that's by-the-by).

SSL Setup with RabbitMQ

By following the guides here and here I managed to get the server-side working. I don't need my clients to have certificates for client validation, so I turned the verify and fail peer cert options off in the config:

 

The rabbitmq_web_stomp config was pretty much the same, except for some reason it uses ssl_config instead of ssl_options. There were a couple of 'gotchas' too. The first was that my keys were not readable for rabbitmq's user, so I ran chown root:ssl-cert * on them and chmod 640 * to get the right permissions:

I'm not sure if Rabbit was already in the ssl-cert group, but you should check groups rabbitmq and add it if it's not by usermod -a -G ssl-cert rabbitmq`.
The second was that I missed out the cacertfile: the intermediate certificate of the certification authority in PEM format which I downloaded from my provider (I'd previously concatenated this onto my .cert file- as this works for my web browser). I decided to get a CA signed certificate (rather than self-signed) as this way other people using Websockets in the browser don't need to manually add my certificate & self-signed CA. Luckily, my DNS registrar, Gandi, offered the first year of SSL free for the domains I have with them.

Client Connections

Using the openssl client to connect now succeeds:

 

OK, cool. Using stomp.js I was able to connect to STOMP from the browser via SSL-secured Websocket. I just had to make sure that it tried the SSL port when the page was loaded over https:

 

Great. Websocket STOMP is now nicely SSL-ified.

stomp.py

Next I moved onto my Python clients, which use stomp.py to negotiate a pure STOMP connection (no websocket) to RabbitMQ on port 61614. You should use this library over the other STOMP python library still kicking about in pypi.

I cracked in a call to Connection.set_ssl() to set up the SSL config for the library, and then spent the next 6 hours trying to track down the following error:

 

In the end, Google pulled through with a mailing list from 2012 which gave me a hint:
http://erlang.org/pipermail/erlang-questions/2012-December/071099.html

Stomp.py wasn't setting up an SSL connection. Instead, it was spewing the STOMP "CONNECT" packet straight into the server socket expecting an SSL negotiation header. My code was at fault, though the library didn't help me track down the error much. While tailing the RabbitMQ log (tail -f /var/log/rabbitmq/rabbit@finnigan.log.1), I opened a Python3 terminal and tried negotiating an SSL connection:

 

Success. That worked: RabbitMQ's log shows a successful connection:

 

The plot thickens. Why wasn't STOMP.py negotiating an SSL connection? I was using the set_ssl method, but obviously it wasn't working. There doesn't seem to be any good code examples in the docs for this library for doing exactly this, so I dug down into stomp/transport.py inserting log statements to see what was going on- and traced it back to my parameter to set_ssl which was a python dict instead of a tuple inside a dict. Damn it. I therefore include below my final working test code as an example for those who might follow...

Hopefully this might be useful to someone trying to use SSL, STOMP, stomp.py and/or RabbitMQ together!

BuildAX

I was at a conference on Friday at the Institute for Sustainability, Newcastle University (who fund my PhD research). I gave a 2-minute talk on the project I have been working on for the past year: "BuildAX". I thought I should write a bit on how this evolved.

Building Monitoring

BuildAX is a fully open-source hardware and software platform for monitoring of environmental conditions in buildings- i.e. temperature, humidity, incident light and so on.

The project is part of the OpenMovement project, a range of hardware designed and developed at Culture Lab to assist various research projects (and distributed Axivity for other people who want to use them). Continue reading →

Ice Bucket Challenge

I think everyone's familiar by now with the "Ice Bucket Challenge", a charity campaign for ALS (Amyotrophic Lateral Sclerosis), known in the UK as Motor Neurone Disease. The success of the campaign has been surprising- passing $70 million in donations at the start of this week. It's a very clever marketing strategy for a very horrible neurological degenerative disorder.

Continue reading →