docker run -itd --name rabbitmq -v /home/rabbitmq/etc/rabbitmq:/etc/rabbitmq -v /home/rabbitmq/lib/rabbitmq:/var/lib/rabbitmq  -v /home/rabbitmq/log/rabbitmq/:/var/log/rabbitmq -v /home/rabbitmq/ssl:/etc/rabbitmq/ssl -p 5671:5671 -p 5672:5672 -p 15672:15672 --privileged=true rabbitmq:management

运行以下命令查看rabbitmq服务是否启动成功
docker ps -a

如果启动失败，请参照我的另一篇文章，从【第六步】开始看
https://blog.csdn.net/a15940835457/article/details/105405467

cd /home
mkdir rmpca
cd rmqca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt

[ ca ]
default_ca = rmqca
 
[ rmqca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial  

default_crl_days = 7
default_days = 365
default_md = sha256
 
policy = rmqca_policy
x509_extensions = certificate_extensions  

[ rmqca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional  

[ certificate_extensions ]
basicConstraints = CA:false  

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions  

[ root_ca_distinguished_name ]
commonName = hostname  

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign  

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2  

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

执行如下两个命令
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365  -out cacert.pem -outform PEM -subj /CN=MyRmqca/ -nodes

openssl x509 -in cacert.pem -out cacert.cer -outform DER

执行如下几个命令
cd ..
mkdir server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
cd ../rmqca
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

cd /root
openssl rand -writerand .rnd

cd ..
mkdir server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
cd ../rmqca
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

执行以下3条命令
cp -r rmqca /home/rabbitmq/ssl
cp -r server /home/rabbitmq/ssl
cp -r client /home/rabbitmq/ssl

find / -name rabbitmq.conf

loopback_users.guest = false
listeners.tcp.default = 5672
# SSL\TLS通信的端口
listeners.ssl.default = 5671
# 服务端私钥和证书文件配置
ssl_options.cacertfile = /home/rabbitmq/etc/rabbitmq/ssl/rmqca/cacert.pem
ssl_options.certfile = /home/rabbitmq/etc/rabbitmq/ssl/server/cert.pem
ssl_options.keyfile = /home/rabbitmq/etc/rabbitmq/ssl/server/key.pem

# 有verify_none和verify_peer两个选项，verify_none表示完全忽略验证证书的结果，verify_peer表示要求验证对方证书
ssl_options.verify = verify_peer
# 若为true，服务端会向客户端索要证书，若客户端无证书则中止SSL握手；若为false，则客户端没有证书时依然可完成SSL握手
ssl_options.fail_if_no_peer_cert = true

docker start rabbitmq
docker ps -a