Store RabbitMQ cert/key in config dir

Storing rabbit's private key in /etc/ssl/private causes problems since that
directory (and the files within it) can only be accessed by root on Ubuntu
systems. Storing the key within the RabbitMQ configuration directory would
allow the key to be read by the 'rabbitmq' user.

The key can also be set to mode 0600 as well by moving its location and
changing it to be owned by the rabbitmq user.

Closes-bug: 1506992

Change-Id: Iede0748b57a86b33879d759505dd8f80476b574c

playbooks/roles/rabbitmq_server/defaults/main.yml

@@ -53,9 +53,9 @@ rabbitmq_plugins:
     state: enabled
 
 # RabbitMQ SSL support
-rabbitmq_ssl_cert: /etc/ssl/certs/rabbitmq.pem
-rabbitmq_ssl_key: /etc/ssl/private/rabbitmq.key
-rabbitmq_ssl_ca_cert: /etc/ssl/certs/rabbitmq-ca.pem
+rabbitmq_ssl_cert: /etc/rabbitmq/rabbitmq.pem
+rabbitmq_ssl_key: /etc/rabbitmq/rabbitmq.key
+rabbitmq_ssl_ca_cert: /etc/rabbitmq/rabbitmq-ca.pem
 
 # Set rabbitmq_ssl_self_signed_regen to true if you want to generate a new
 # SSL certificate for RabbitMQ when this playbook runs.  You can also change

playbooks/roles/rabbitmq_server/tasks/rabbitmq_ssl_user_provided.yml

@@ -20,12 +20,12 @@
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "root"
-    group: "root"
+    owner: "rabbitmq"
+    group: "rabbitmq"
     mode: "{{ item.mode }}"
   with_items:
     - { src: "{{ rabbitmq_user_ssl_cert }}", dest: "{{ rabbitmq_ssl_cert }}", mode: "0644" }
-    - { src: "{{ rabbitmq_user_ssl_key }}", dest: "{{ rabbitmq_ssl_key }}", mode: "0640" }
+    - { src: "{{ rabbitmq_user_ssl_key }}", dest: "{{ rabbitmq_ssl_key }}", mode: "0600" }
   when: rabbitmq_user_ssl_cert is defined and rabbitmq_user_ssl_key is defined
   tags:
     - rabbitmq-configs
@@ -37,8 +37,8 @@
   copy:
     src: "{{ rabbitmq_user_ssl_ca_cert }}"
     dest: "{{ rabbitmq_ssl_ca_cert }}"
-    owner: "root"
-    group: "root"
+    owner: "rabbitmq"
+    group: "rabbitmq"
     mode: "0644"
   when: rabbitmq_user_ssl_ca_cert is defined
   tags: