Last updated: 2026-02-11
RabbitMQ TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for RabbitMQ to encrypt AMQP client connections, inter-node cluster traffic, and the management plugin HTTP API. RabbitMQ uses Erlang's built-in TLS implementation, which relies on OpenSSL under the hood.
Prerequisites
- RabbitMQ 3.8 or later (3.13+ recommended;
rabbitmq.confformat requires 3.7+) - Erlang/OTP 22 or later (for TLS 1.3 support)
- OpenSSL 1.1.1 or later
- SSL certificates (server certificate, private key, and CA certificate)
Installation note: RabbitMQ is not in the base repositories for RHEL, Debian, Ubuntu, or SLES. Install from the official RabbitMQ package repository or use the Erlang packages from Erlang Solutions.
Certificate Setup
RabbitMQ expects PEM-formatted certificates. Set appropriate permissions:
chmod 640 /etc/rabbitmq/ssl/server.key
chown rabbitmq:rabbitmq /etc/rabbitmq/ssl/*
AMQP Listener TLS Configuration
Configure TLS for the main AMQP listener in rabbitmq.conf (the new-style sysctl format).
Enable TLS Listener
Disable the plaintext listener and enable the TLS listener on port 5671 (the standard AMQPS port):
listeners.tcp = none
listeners.ssl.default = 5671
Certificate Files
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server.crt
ssl_options.keyfile = /etc/rabbitmq/ssl/server.key
Protocol Versions
Restrict to TLS 1.2 and TLS 1.3:
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
Cipher Suites
RabbitMQ accepts OpenSSL cipher names in the configuration. Configure strong AEAD cipher suites:
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
ssl_options.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
Server Cipher Preference
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
Client Certificate Verification
To require clients to present a valid TLS certificate (mutual TLS):
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
For optional client certificates:
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
To skip client certificate verification entirely:
ssl_options.verify = verify_none
Management Plugin HTTPS
The RabbitMQ management plugin (web UI and HTTP API) should also be served over HTTPS:
management.ssl.port = 15671
management.ssl.cacertfile = /etc/rabbitmq/ssl/ca.pem
management.ssl.certfile = /etc/rabbitmq/ssl/server.crt
management.ssl.keyfile = /etc/rabbitmq/ssl/server.key
management.ssl.versions.1 = tlsv1.3
management.ssl.versions.2 = tlsv1.2
management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
management.ssl.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
management.ssl.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
management.ssl.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
management.ssl.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
management.ssl.honor_cipher_order = true
To disable the plaintext management listener:
management.tcp.port = 0
Inter-Node (Cluster) TLS
To encrypt communication between RabbitMQ cluster nodes, configure the Erlang distribution to use TLS.
Create an Erlang inter_node_tls.config file:
[
{server, [
{cacertfile, "/etc/rabbitmq/ssl/ca.pem"},
{certfile, "/etc/rabbitmq/ssl/server.crt"},
{keyfile, "/etc/rabbitmq/ssl/server.key"},
{secure_renegotiate, true},
{versions, ['tlsv1.3', 'tlsv1.2']}
]},
{client, [
{cacertfile, "/etc/rabbitmq/ssl/ca.pem"},
{certfile, "/etc/rabbitmq/ssl/server.crt"},
{keyfile, "/etc/rabbitmq/ssl/server.key"},
{secure_renegotiate, true},
{versions, ['tlsv1.3', 'tlsv1.2']}
]}
].
Then in rabbitmq.conf, point to this file and enable TLS distribution:
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config
And set the environment variable in rabbitmq-env.conf:
SERVER_ADDITIONAL_ERL_ARGS="-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter_node_tls.config"
Complete Configuration
In rabbitmq.conf:
# Disable plaintext AMQP, enable TLS
listeners.tcp = none
listeners.ssl.default = 5671
# Certificates
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server.crt
ssl_options.keyfile = /etc/rabbitmq/ssl/server.key
# Protocol versions
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
# Cipher suites
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
ssl_options.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
# Client certificates
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
# Management HTTPS
management.ssl.port = 15671
management.ssl.cacertfile = /etc/rabbitmq/ssl/ca.pem
management.ssl.certfile = /etc/rabbitmq/ssl/server.crt
management.ssl.keyfile = /etc/rabbitmq/ssl/server.key
management.ssl.versions.1 = tlsv1.3
management.ssl.versions.2 = tlsv1.2
management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
management.ssl.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
management.ssl.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
management.ssl.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
management.ssl.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
management.ssl.honor_cipher_order = true
management.tcp.port = 0
Client Connection
Connect with TLS using the AMQPS URI scheme:
amqps://user:password@rabbitmq.example.com:5671/vhost
Example with Python (pika):
import pika
import ssl
context = ssl.create_default_context(cafile="/path/to/ca.pem")
parameters = pika.ConnectionParameters(
host="rabbitmq.example.com",
port=5671,
ssl_options=pika.SSLOptions(context)
)
connection = pika.BlockingConnection(parameters)
Verification
Restart RabbitMQ and check the TLS listener:
systemctl restart rabbitmq-server
rabbitmq-diagnostics listeners
You should see port 5671 listed as an SSL listener.
Test the TLS connection (port 5671 uses implicit TLS, no STARTTLS):
openssl s_client -connect rabbitmq.example.com:5671
Check the enabled TLS versions and ciphers:
rabbitmq-diagnostics tls_versions
rabbitmq-diagnostics cipher_suites --format openssl