Improve TLS support

michaelklishin · michaelklishin · commit bed165c40a1c · 2025-07-15T01:26:36.000-04:00
* Make sure that the 'tls' settings in the config file is not unintentionally drowned out by its respective CLI flag's default * Support CA certificate, client certificate and client private key settings in rabbitmqadmin.conf References #72.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,10 +2,33 @@
 
 ## v2.7.0 (in development)
 
+### Enhancements
+
+ * `rabbitmqadmin.conf` now supports more TLS-related settings: `ca_certificate_bundle_path` (corresponds to `--tls-ca-cert-file` on the command line), 
+   `client_certificate_file_path` (corresponds to `--tls-cert-file`), and `client_private_key_file_path` (corresponds to `--tls-key-file`). 
+
+   As the names suggest, they are used to configure the CA certificate bundle file path, the client certificate file path,
+   and the client private key file path, respectively:
+ 
+   ```toml
+    [production]
+    hostname = "(redacted)"
+    port = 15671
+    username = "user-efe1f4d763f6"
+    password = "(redacted)"
+    tls = true
+    ca_certificate_bundle_path = "/path/to/ca_certificate.pem"
+    client_certificate_file_path = "/path/to/client_certificate.pem"
+    client_private_key_file_path = "/path/to/client_key.pem"
+   ```
+
+   To learn more, see [RabbitMQ's TLS guide](https://www.rabbitmq.com/docs/ssl).
+
 ### Bug Fixes
 
  * Tool version was unintentionally missing from `-h` output (but present in its long counterpart, `--help`)  
-
+ * The `tls` setting in `rabbitmqadmin.conf`, a `--use-tls` equivalent, was not respected when connecting to a node 
+   in certain cases
 
 ## v2.6.0 (Jul 12, 2025)
 
diff --git a/README.md b/README.md
@@ -1004,8 +1004,14 @@ password = "staging-1d20cfbd9d"
 [production]
 hostname = "(redacted)"
 port = 15671
+
 username = "user-efe1f4d763f6"
 password = "(redacted)"
+
+tls = true
+ca_certificate_bundle_path = "/path/to/ca_certificate.pem"
+client_certificate_file_path = "/path/to/client_certificate.pem"
+client_private_key_file_path = "/path/to/client_key.pem"
 ```
 
 
diff --git a/src/cli.rs b/src/cli.rs
@@ -462,32 +462,31 @@ pub fn parser(pre_flight_settings: PreFlightSettings) -> Command {
                 .help("use TLS (HTTPS) for HTTP API requests ")
                 .env("RABBITMQADMIN_USE_TLS")
                 .value_parser(value_parser!(bool))
-                .action(ArgAction::SetTrue)
-                .requires("tls-ca-cert-file"),
+                .action(ArgAction::SetTrue),
         )
         // --tls-ca-cert-file
         .arg(
-            Arg::new("tls-ca-cert-file")
+            Arg::new("ca_certificate_bundle_path")
                 .long("tls-ca-cert-file")
                 .required(false)
                 .help("Local path to a CA certificate file in the PEM format")
                 .value_parser(value_parser!(PathBuf)),
         )
         // --tls-cert-file
         .arg(
-            Arg::new("tls-cert-file")
+            Arg::new("client_certificate_file_path")
                 .long("tls-cert-file")
                 .required(false)
-                .requires("tls-key-file")
+                .requires("tls")
                 .help("Local path to a client certificate file in the PEM format")
                 .value_parser(value_parser!(PathBuf)),
         )
         // --tls-key-file
         .arg(
-            Arg::new("tls-key-file")
+            Arg::new("client_private_key_file_path")
                 .long("tls-key-file")
                 .required(false)
-                .requires("tls-cert-file")
+                .requires("tls")
                 .help("Local path to a client private key file in the PEM format")
                 .value_parser(value_parser!(PathBuf)),
         )
diff --git a/src/config.rs b/src/config.rs
@@ -63,7 +63,7 @@ pub enum ConfigFileError {
     MissingConfigSection(String),
     #[error(transparent)]
     IoError(#[from] std::io::Error),
-    #[error("failed to deserialize config file. Make sure it is valid TOML")]
+    #[error("failed to deserialize config file. Make sure it is valid TOML. Details: {0}")]
     DeserializationError(#[from] toml::de::Error),
 }
 
@@ -103,6 +103,13 @@ pub struct SharedSettings {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     pub table_style: Option<TableStyle>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ca_certificate_bundle_path: Option<PathBuf>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub client_certificate_file_path: Option<PathBuf>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub client_private_key_file_path: Option<PathBuf>,
 }
 
 impl SharedSettings {
@@ -148,10 +155,9 @@ impl SharedSettings {
 
     pub fn new_with_defaults(cli_args: &ArgMatches, config_file_defaults: &Self) -> Self {
         let default_hostname = DEFAULT_HOST.to_string();
-        let should_use_tls = cli_args
-            .get_one::<bool>("tls")
-            .cloned()
-            .unwrap_or(config_file_defaults.tls);
+        let should_use_tls =
+            cli_args.get_one::<bool>("tls").cloned().unwrap_or(false) || config_file_defaults.tls;
+
         let non_interactive = cli_args
             .get_one::<bool>("non_interactive")
             .cloned()
@@ -207,8 +213,27 @@ impl SharedSettings {
             .or(Some(TableStyle::default()))
             .unwrap_or_default();
 
+        let ca_certificate_bundle_path = cli_args
+            .get_one::<PathBuf>("ca_certificate_bundle_path")
+            .cloned()
+            .or(config_file_defaults.ca_certificate_bundle_path.clone());
+
+        let client_certificate_file_path = cli_args
+            .get_one::<PathBuf>("client_certificate_file_path")
+            .cloned()
+            .or(config_file_defaults.client_certificate_file_path.clone());
+
+        let client_private_key_file_path = cli_args
+            .get_one::<PathBuf>("client_private_key_file_path")
+            .cloned()
+            .or(config_file_defaults.client_private_key_file_path.clone());
+
         Self {
             tls: should_use_tls,
+            ca_certificate_bundle_path,
+            client_certificate_file_path,
+            client_private_key_file_path,
+
             non_interactive,
             quiet,
             base_uri: None,
@@ -274,8 +299,24 @@ impl SharedSettings {
             .or(Some(TableStyle::default()))
             .unwrap_or_default();
 
+        let ca_certificate_bundle_path = cli_args
+            .get_one::<PathBuf>("ca_certificate_bundle_path")
+            .cloned();
+
+        let client_certificate_file_path = cli_args
+            .get_one::<PathBuf>("client_certificate_file_path")
+            .cloned();
+
+        let client_private_key_file_path = cli_args
+            .get_one::<PathBuf>("client_private_key_file_path")
+            .cloned();
+
         Self {
             tls: should_use_tls,
+            ca_certificate_bundle_path,
+            client_certificate_file_path,
+            client_private_key_file_path,
+
             non_interactive,
             quiet,
             base_uri: None,
@@ -348,8 +389,24 @@ impl SharedSettings {
             .or(Some(TableStyle::default()))
             .unwrap_or_default();
 
+        let ca_certificate_bundle_path = cli_args
+            .get_one::<PathBuf>("ca_certificate_bundle_path")
+            .cloned();
+
+        let client_certificate_file_path = cli_args
+            .get_one::<PathBuf>("client_certificate_file_path")
+            .cloned();
+
+        let client_private_key_file_path = cli_args
+            .get_one::<PathBuf>("client_private_key_file_path")
+            .cloned();
+
         Self {
             tls: should_use_tls,
+            ca_certificate_bundle_path,
+            client_certificate_file_path,
+            client_private_key_file_path,
+
             non_interactive,
             quiet,
             base_uri: Some(url.to_string()),
@@ -414,8 +471,24 @@ impl SharedSettings {
             .or(Some(TableStyle::default()))
             .unwrap_or_default();
 
+        let ca_certificate_bundle_path = cli_args
+            .get_one::<PathBuf>("ca_certificate_bundle_path")
+            .cloned();
+
+        let client_certificate_file_path = cli_args
+            .get_one::<PathBuf>("client_certificate_file_path")
+            .cloned();
+
+        let client_private_key_file_path = cli_args
+            .get_one::<PathBuf>("client_private_key_file_path")
+            .cloned();
+
         Self {
             tls: should_use_tls,
+            ca_certificate_bundle_path,
+            client_certificate_file_path,
+            client_private_key_file_path,
+
             non_interactive,
             quiet,
             base_uri: Some(url.to_string()),
diff --git a/src/main.rs b/src/main.rs
@@ -66,7 +66,7 @@ fn main() {
 
     match configure_http_api_client(&cli, &common_settings, &endpoint.clone()) {
         Ok(client) => {
-            let exit_code = dispatch_command(&cli, client, &common_settings, endpoint);
+            let exit_code = dispatch_command(&cli, client, &common_settings);
             process::exit(exit_code.into())
         }
         Err(err) => {
@@ -116,13 +116,13 @@ fn resolve_run_configuration(cli: &ArgMatches) -> (SharedSettings, String) {
 
 fn configure_http_api_client<'a>(
     cli: &'a ArgMatches,
-    common_settings: &'a SharedSettings,
+    merged_settings: &'a SharedSettings,
     endpoint: &'a str,
 ) -> Result<APIClient, CommandRunError> {
-    let httpc = build_http_client(cli, common_settings)?;
+    let httpc = build_http_client(cli, merged_settings)?;
     // Due to how SharedSettings are computed, these should safe to unwrap()
-    let username = common_settings.username.clone().unwrap();
-    let password = common_settings.password.clone().unwrap();
+    let username = merged_settings.username.clone().unwrap();
+    let password = merged_settings.password.clone().unwrap();
     let client = build_rabbitmq_http_api_client(
         httpc,
         endpoint.to_owned(),
@@ -135,16 +135,15 @@ fn configure_http_api_client<'a>(
 fn dispatch_command(
     cli: &ArgMatches,
     client: APIClient,
-    common_settings: &SharedSettings,
-    endpoint: String,
+    merged_settings: &SharedSettings,
 ) -> ExitCode {
     if let Some((first_level, first_level_args)) = cli.subcommand() {
         if let Some((second_level, second_level_args)) = first_level_args.subcommand() {
             // this is a Tanzu RabbitMQ-specific command, these are grouped under "tanzu"
             if first_level == TANZU_COMMAND_PREFIX {
                 if let Some((third_level, third_level_args)) = second_level_args.subcommand() {
                     let pair = (second_level, third_level);
-                    let mut res_handler = ResultHandler::new(common_settings, second_level_args);
+                    let mut res_handler = ResultHandler::new(merged_settings, second_level_args);
                     return dispatch_tanzu_subcommand(
                         pair,
                         third_level_args,
@@ -155,13 +154,13 @@ fn dispatch_command(
             } else {
                 // this is a common (OSS and Tanzu) command
                 let pair = (first_level, second_level);
-                let vhost = virtual_host(common_settings, second_level_args);
-                let mut res_handler = ResultHandler::new(common_settings, second_level_args);
+                let vhost = virtual_host(merged_settings, second_level_args);
+                let mut res_handler = ResultHandler::new(merged_settings, second_level_args);
                 return dispatch_common_subcommand(
                     pair,
                     second_level_args,
                     client,
-                    endpoint,
+                    merged_settings.endpoint(),
                     vhost,
                     &mut res_handler,
                 );
@@ -192,12 +191,12 @@ fn build_http_client(
     if should_use_tls(common_settings) {
         let _ = CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider());
 
-        let ca_cert_pem_file = cli.get_one::<PathBuf>("tls-ca-cert-file");
-
-        let maybe_client_cert_pem_file = cli.get_one::<PathBuf>("tls-cert-file");
-        let maybe_client_key_pem_file = cli.get_one::<PathBuf>("tls-key-file");
+        let ca_cert_pem_file = common_settings.ca_certificate_bundle_path.clone();
+        let maybe_client_cert_pem_file = common_settings.client_certificate_file_path.clone();
+        let maybe_client_key_pem_file = common_settings.client_private_key_file_path.clone();
 
         let ca_certs = ca_cert_pem_file
+            .clone()
             .map(|path| load_certs(&path.to_string_lossy()))
             .unwrap()?;
 
@@ -209,15 +208,18 @@ fn build_http_client(
             .tls_info(true)
             .tls_sni(true)
             .min_tls_version(reqwest::tls::Version::TLS_1_2)
+            .tls_built_in_native_certs(true)
             .tls_built_in_root_certs(true)
             .danger_accept_invalid_certs(disable_peer_verification)
             .danger_accept_invalid_hostnames(disable_peer_verification);
 
-        // --tls-ca-cert-file
+        // local certificate store
         let mut store = rustls::RootCertStore::empty();
+
         for c in ca_certs {
             store.add(c).map_err(|err| {
-                let readable_path = maybe_client_cert_pem_file
+                let readable_path = ca_cert_pem_file
+                    .clone()
                     .unwrap()
                     .to_string_lossy()
                     .to_string();
@@ -230,15 +232,16 @@ fn build_http_client(
 
         // --tls-cert-file, --tls-key-file
         if maybe_client_cert_pem_file.is_some() && maybe_client_key_pem_file.is_some() {
-            let client_cert_pem_file = maybe_client_cert_pem_file.unwrap();
-            let client_key_pem_file = maybe_client_key_pem_file.unwrap();
+            let client_cert_pem_file = maybe_client_cert_pem_file.clone().unwrap();
+            let client_key_pem_file = maybe_client_key_pem_file.clone().unwrap();
 
             let client_cert = fs::read(client_cert_pem_file)?;
             let client_key = fs::read(client_key_pem_file)?;
 
             let concatenated = [&client_cert[..], &client_key[..]].concat();
             let client_id = Identity::from_pem(&concatenated).map_err(|err| {
                 let readable_path = maybe_client_key_pem_file
+                    .clone()
                     .unwrap()
                     .to_string_lossy()
                     .to_string();
