How to Install RabbitMQ on CentOS 7

Updated on August 2, 2021
How to Install RabbitMQ on CentOS 7 header image

Introduction

RabbitMQ is a widely used open-source message-broker written in the Erlang programming language. Built on top of the Open Telecom Platform (OTP) framework, it meets the needs of clustering and fail-over. Furthermore, its plugin architecture makes it possible for RabbitMQ to support Advanced Message Queuing Protocol (AMQP), Streaming Text Oriented Messaging Protocol (STOMP), MQ Telemetry Transport (MQTT), and other protocols as well.

This article explains how to install RabbitMQ on a Vultr CentOS 7 server instance.

Prerequisites

1. Install Erlang

Because RabbitMQ is written in Erlang, you need to install Erlang before installing RabbitMQ.

At the time of this writing, the latest stable version of RabbitMQ for CentOS 7 is 3.8.19, which requires Erlang version 23.2 or later. If you want to install a newer version of RabbitMQ, refer to the RabbitMQ Erlang Version Requirements page for which Erlang versions are compatible.

The RabbitMQ team recommends Erlang version 24 because it offers significant throughput improvements for many workloads. But Erlang version 23 has better compatibility because some community plugins and tools may be incompatible with Erlang 24.

Log in to the server as a non-root sudo user via SSH.

Enable the Extra Packages for Enterprise Linux (EPEL) repository because it has packages required by Erlang:

$ sudo yum -y install epel-release

Choose one of the following options to download the Erlang version you want.

  • Option 1: Download Erlang 23.3.1, the latest version in the 23.x line at the time of this writing.

      $ cd ~ && wget https://packages.erlang-solutions.com/erlang/rpm/centos/7/x86_64/esl-erlang_23.3.1-1~centos~7_amd64.rpm
  • Option 2: Download Erlang 24.0.2, the latest version in the 24.x line at the time of this writing.

      $ cd ~ && wget https://packages.erlang-solutions.com/erlang/rpm/centos/7/x86_64/esl-erlang_24.0.2-1~centos~7_amd64.rpm
  • Option 3: Download a newer version compatible with RabbitMQ if it is available.

    Go to the Erlang Solutions download page. Select the Erlang OTP package, CentOS from the Platforms list, and Standard from the Distribution list. Then click VIEW ALL to list all versions for CentOS. Select the version you want. Copy the download link corresponding to CentOS 7 (64-bit). Download it using wget as shown above.

Install the downloaded package:

$ sudo yum -y install esl-erlang*.rpm

Open the Erlang shell to verify the installation:

$ erl

You should see something like this:

Erlang/OTP 23 [erts-11.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:1] [hipe]

Eshell V11.2  (abort with ^G)
1>

Press Ctrl + C twice to quit the Erlang shell.

2. Install RabbitMQ

Download the latest version of RabbitMQ, which is 3.8.19 at the time of this writing:

$ wget https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.8.19/rabbitmq-server-3.8.19-1.el7.noarch.rpm

You can always find the latest version of RabbitMQ on its releases page on GitHub. Make sure to choose the link that ends with el7.noarch.rpm.

Install the downloaded package:

$ sudo yum -y install rabbitmq-server*.rpm

Start the RabbitMQ service:

$ sudo systemctl start rabbitmq-server.service

Enable RabbitMQ to start on system boot:

$ sudo systemctl enable rabbitmq-server.service

Check the status of RabbitMQ:

$ sudo rabbitmqctl status

To enable access to the RabbitMQ management web UI and other common features, update the firewall rules to allow inbound TCP traffic on ports 4369, 25672, 5671, 5672, 15672, 61613, 61614, 1883, and 8883.

$ sudo firewall-cmd --zone=public --permanent --add-port=4369/tcp --add-port=25672/tcp --add-port=5671-5672/tcp --add-port=15672/tcp  --add-port=61613-61614/tcp --add-port=1883/tcp --add-port=8883/tcp

Reload the current firewall session to apply the change:

$ sudo firewall-cmd --reload

3. Enable RabbitMQ Management Plugin

The RabbitMQ management plugin offers an HTTP API, a web UI, and a command-line tool for managing and monitoring RabbitMQ servers. Although the web UI is quite basic, it makes it easy to monitor the recent metrics of the RabbitMQ server.

Enable RabbitMQ management plugin:

$ sudo rabbitmq-plugins enable rabbitmq_management

During activation, the plugin creates a default administrator account named guest. Delete this account to avoid security issues:

$ sudo rabbitmqctl delete_user guest

Add a new account for accessing the web UI. In the following commands, replace admin with your desired account name:

$ sudo rabbitmqctl add_user admin

Enter a strong password for the admin account when prompted. You can use a free password manager like KeePassXC or an online tool such as Random Password Generator to generate strong passwords.

Tag admin as an administrator account:

$ sudo rabbitmqctl set_user_tags admin administrator

Grant appropriate permissions to the admin account:

$ sudo rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"

Now you can use the admin account to access the web UI. But if you own a valid domain name, you should follow the next step to configure HTTPS for the web UI at no cost. If not, you can jump straight to step 5 to access the web UI.

4. (Optional) Configure HTTPS for RabbitMQ Management Web UI

This step assumes that you want to configure HTTPS for the web UI with the domain name example.com, and you have pointed it to the server IP address. Make sure to replace example.com in the code examples with your domain name.

Install Certbot with Snap

Certbot is a program used to get free TLS certificates from Let's Encrypt, a certificate authority.

Snap Store is an app store for Linux with millions of users. It makes it easy to get the latest version of Certbot with features like automatic certificate renewal. The package that provides everything you need to work with the Snap Store is snapd.

Install the snapd package:

$ sudo yum -y install snapd

Enable the snapd service:

$ sudo systemctl enable --now snapd.socket

Enable classic snap support:

$ sudo ln -s /var/lib/snapd/snap /snap

Get the latest version of snapd core:

$ sudo snap install core && sudo snap refresh core

Do not worry if you get the following error:

error: too early for operation, device not yet seeded or device model not acknowledged

After installing snapd, it may take a little while to initialize its environment. So, wait a while before retrying the above command.

Install Certbot:

$ sudo snap install --classic certbot

Make the certbot command globally available:

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Get a Let's Encrypt Certificate

Certbot supports multiple modes for getting certificates. You will use the standalone mode to get a certificate for your domain name because this mode does not require a web server such as Nginx or Apache.

To confirm that you control the domain name, Certbot needs to bind to port 80 to perform domain validation. Update the firewall rules to allow inbound TCP traffic on port 80:

$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp

Reload the current firewall session to apply the change:

$ sudo firewall-cmd --reload

Now you can run the following command to get a Let's Encrypt certificate:

$ sudo certbot certonly --standalone -d example.com -m admin@example.com --agree-tos

You may need to answer a question about sharing your email with the Electronic Frontier Foundation.

When finished, Certbot places all the files related to the certificate in the /etc/letsencrypt/archive/example.com folder and creates corresponding symlinks in the /etc/letsencrypt/live/example.com folder for your convenience. Those symlinks are:

$ sudo ls /etc/letsencrypt/live/example.com
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

You will use those symlinks in the next step to install the certificate.

Install the Certificate

Due to security reasons, only the root account can access the /etc/letsencrypt/archive and /etc/letsencrypt/live folders. But the rabbitmq account needs to read files inside those folders to configure HTTPS. A reasonable solution is to clone those folders into a new folder for the rabbitmq account.

Create a new folder:

$ sudo mkdir /etc/rabbitmq_letsencrypt

Clone the /etc/letsencrypt/archive and /etc/letsencrypt/live folders into the new folder:

$ sudo cp -r /etc/letsencrypt/archive /etc/rabbitmq_letsencrypt
$ sudo cp -r /etc/letsencrypt/live /etc/rabbitmq_letsencrypt

Make rabbitmq the owner of the new folder so that RabbitMQ can read all the files related to the certificate:

$ sudo chown -R rabbitmq:rabbitmq /etc/rabbitmq_letsencrypt

Create a configuration file to store the TLS settings. This tutorial uses nano as the editor, but you can use another editor such as vim.

$ sudo nano /etc/rabbitmq/rabbitmq.conf

Paste the following into the editor:

management.ssl.port       = 15672
management.ssl.cacertfile = /etc/rabbitmq_letsencrypt/live/example.com/chain.pem
management.ssl.certfile   = /etc/rabbitmq_letsencrypt/live/example.com/cert.pem
management.ssl.keyfile    = /etc/rabbitmq_letsencrypt/live/example.com/privkey.pem

management.ssl.honor_cipher_order   = true
management.ssl.honor_ecc_order      = true
management.ssl.client_renegotiation = false
management.ssl.secure_renegotiate   = true

management.ssl.versions.1 = tlsv1.3
management.ssl.versions.2 = tlsv1.2
management.ssl.versions.3 = tlsv1.1

management.ssl.ciphers.1  = TLS_AES_256_GCM_SHA384
management.ssl.ciphers.2  = TLS_AES_128_GCM_SHA256
management.ssl.ciphers.3  = TLS_CHACHA20_POLY1305_SHA256
management.ssl.ciphers.4  = TLS_AES_128_CCM_SHA256
management.ssl.ciphers.5  = TLS_AES_128_CCM_8_SHA256
management.ssl.ciphers.6  = ECDHE-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.7  = ECDHE-RSA-AES256-GCM-SHA384
management.ssl.ciphers.8  = ECDHE-ECDSA-AES256-SHA384
management.ssl.ciphers.9  = ECDHE-RSA-AES256-SHA384
management.ssl.ciphers.10 = ECDH-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.11 = ECDH-RSA-AES256-GCM-SHA384
management.ssl.ciphers.12 = ECDH-ECDSA-AES256-SHA384
management.ssl.ciphers.13 = ECDH-RSA-AES256-SHA384
management.ssl.ciphers.14 = DHE-RSA-AES256-GCM-SHA384

Save the configuration file and exit.

Automate Renewal

Let's Encrypt certificates are valid for 90 days, so you must renew your TLS certificate at least once every three months. The Certbot installation automatically created a systemd timer unit to automate this task. Run the following command to verify the timer is active:

$ sudo systemctl list-timers | grep 'certbot\|ACTIVATES'

After renewing the certificate, Certbot will not automatically restart the RabbitMQ service, so RabbitMQ management web UI still uses the old certificate. You must write a script inside the /etc/letsencrypt/renewal-hooks/deploy folder to restart the RabbitMQ service.

Open your text editor:

$ sudo nano /etc/letsencrypt/renewal-hooks/deploy/restart-rabbitmq.sh

Paste the following into the editor:

#!/bin/bash

# Copy new certificate files for RabbitMQ
cp -ru /etc/letsencrypt/archive /etc/rabbitmq_letsencrypt
cp -ru /etc/letsencrypt/live /etc/rabbitmq_letsencrypt

# Make rabbitmq the owner of the new files
chown -R rabbitmq:rabbitmq /etc/rabbitmq_letsencrypt

# Restart the RabbitMQ service
/usr/bin/systemctl restart rabbitmq-server.service

Save and exit. Then make the script executable.

$ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-rabbitmq.sh

Test the renewal process with a dry run.

$ sudo certbot renew --dry-run

5. Access RabbitMQ Management Web UI

You have completed the RabbitMQ installation. Now restart the server to see if everything is working correctly:

$ sudo reboot

Wait a moment for the system to boot.

Open the link https://example.com:15672/ in your browser if you have configured HTTPS in step 4. If not, open the link http://192.0.2.100:15672/, replace 192.0.2.100 with your server IP address.

The RabbitMQ Management screen appears. Log in with the credentials you had specified earlier. You will see the RabbitMQ metrics after logging in.