Merge pull request #502 from ansforge/chore/lrm/server/migrate-cert

issam71100 · web-flow · commit 2932cb64a246 · 2026-01-14T14:22:04.000+01:00
chore/lrm/server : use pem instead of pfx for ssl connection
diff --git a/web/lrm/server/.env.template b/web/lrm/server/.env.template
@@ -1,5 +1,4 @@
 HUB_URL=amqps://messaging.integration.hub.esante.gouv.fr
-LRM_PASSPHRASE=CHANGE_ME_mock_cert_password
 GITHUB_TOKEN=mock_github_token
 ADMIN_PASSWORD=mock_admin_password
 VHOST_CLIENT_MAP={"15-15_v2.1": ["fr.health.test.samuA", "fr.health.test.samuB"]}
diff --git a/web/lrm/server/README.md b/web/lrm/server/README.md
@@ -8,8 +8,6 @@
 cp .env.template .env
 ```
 
-- Set the value of `LRM_PASSPHRASE` to the passphrase of the server certificate to conect to RabbitMQ. Ask for the value to another member of the team.
-
 - *Optional:* Update the content of the `.env` file:
   - `HUB_URL` controls the RabbitMQ instance the app will connect to. Use `amqps://messaging.<environment>.hub.esante.gouv.fr` to connect to a specific environment (or `amqps://messaging.hub.esante.gouv.fr` for production).
   - `GITHUB_TOKEN` is used to interract with Github API. It should be set to a valid token when working of the feature that consumes the Github API. See [Github documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) on how to generate a personal token with the correct rights.
diff --git a/web/lrm/server/src/WebSocketHandler.test.ts b/web/lrm/server/src/WebSocketHandler.test.ts
@@ -12,7 +12,6 @@ beforeEach(() => {
     ...originalEnv,
     ADMIN_PASSWORD: 'foo',
     HUB_URL: 'foo',
-    LRM_PASSPHRASE: 'foo',
     VHOST_CLIENT_MAP: JSON.stringify({
       '15-15_v1.5': ['fr.health.test.samuV1', 'fr.health.test.samuA'],
       '15-15_v2.0': ['fr.health.test.samuV2', 'fr.health.test.samuB'],
diff --git a/web/lrm/server/src/config.ts b/web/lrm/server/src/config.ts
@@ -7,7 +7,6 @@ export class Config {
   private readonly port: number;
   private readonly adminPassword: string;
   private readonly hubUrl: string;
-  private readonly lrmCertPassphrase: string;
   private readonly hubSanteExchange: string;
   private readonly vhostClientMap: VhostClientMap;
   private readonly logger: Logger;
@@ -16,7 +15,6 @@ export class Config {
     this.port = this.extractNumericEnvVar('PORT', 8081);
     this.adminPassword = this.extractEnvVar('ADMIN_PASSWORD');
     this.hubUrl = this.extractEnvVar('HUB_URL');
-    this.lrmCertPassphrase = this.extractEnvVar('LRM_PASSPHRASE');
     this.hubSanteExchange = 'hubsante';
     this.vhostClientMap = JSON.parse(this.extractEnvVar('VHOST_CLIENT_MAP'));
     this.logger = logger.child({ component: 'Config' });
@@ -55,10 +53,6 @@ export class Config {
     return this.hubUrl;
   }
 
-  public getLrmCertPassphrase() {
-    return this.lrmCertPassphrase;
-  }
-
   public getHubSanteExchange() {
     return this.hubSanteExchange;
   }
diff --git a/web/lrm/server/src/expressServer.test.ts b/web/lrm/server/src/expressServer.test.ts
@@ -49,7 +49,6 @@ beforeEach(() => {
     ...originalEnv,
     ADMIN_PASSWORD: 'foo',
     HUB_URL: 'foo',
-    LRM_PASSPHRASE: 'foo',
     VHOST_CLIENT_MAP: JSON.stringify({
       '15-15_v1.5': ['fr.health.test.samuV1', 'fr.health.test.samuA'],
       '15-15_v2.0': ['fr.health.test.samuV2', 'fr.health.test.samuB'],
diff --git a/web/lrm/server/src/rabbit/certs/lrm_test.pfx b/web/lrm/server/src/rabbit/certs/lrm_test.pfx
diff --git a/web/lrm/server/src/rabbit/utils.ts b/web/lrm/server/src/rabbit/utils.ts
@@ -14,21 +14,17 @@ export class RabbitMQConnector {
     this.config = config;
     this.connectionOptions = {
       ...this.readCerts(),
-      passphrase: this.config.getLrmCertPassphrase(),
       credentials: credentials.external(),
       clientProperties: { connection_name: 'lrm-interface' },
     };
     this.logger = logger.child({ component: 'RabbitMQConnector' });
   }
 
-  private readCerts(): { pfx: Buffer<ArrayBufferLike>; ca: Buffer<ArrayBufferLike>[] } {
+  private readCerts(): { cert: Buffer<ArrayBufferLike>; key: Buffer<ArrayBufferLike>; ca: Buffer<ArrayBufferLike>[] } {
     const moduleDir = __dirname;
     return {
-      // pfx with new encryption needed for Node 19 support
-      // Ref: https://github.com/nodejs/node/issues/40672#issuecomment-1680460423
-      pfx: readFileSync(join(moduleDir, 'certs/lrm_test.pfx')),
-      // cert: fs.readFileSync(path.join(moduleDir, 'certs/local_test.crt')), // client cert
-      // key: fs.readFileSync(path.join(moduleDir, 'certs/local_test.key')), // client key
+      cert: readFileSync(join(moduleDir, 'certs/tls.crt')), // client cert
+      key: readFileSync(join(moduleDir, 'certs/tls.key')), // client key
       ca: [readFileSync(join(moduleDir, 'certs/rootCA.crt'))], // array of trusted CA certs
       // Ref.: https://github.com/amqp-node/amqplib/issues/105
     };
diff --git a/web/lrm/server/src/service/messaging.test.ts b/web/lrm/server/src/service/messaging.test.ts
@@ -43,7 +43,6 @@ beforeEach(() => {
     ...originalEnv,
     ADMIN_PASSWORD: 'foo',
     HUB_URL: 'foo',
-    LRM_PASSPHRASE: 'foo',
     VHOST_CLIENT_MAP: JSON.stringify({
       '15-15_v1.5': ['fr.health.test.samuV1'],
     }),

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`HUB_URL=amqps://messaging.integration.hub.esante.gouv.fr`
`2`		`-LRM_PASSPHRASE=CHANGE_ME_mock_cert_password`
`3`	`2`	`GITHUB_TOKEN=mock_github_token`
`4`	`3`	`ADMIN_PASSWORD=mock_admin_password`
`5`	`4`	`VHOST_CLIENT_MAP={"15-15_v2.1": ["fr.health.test.samuA", "fr.health.test.samuB"]}`