Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Consul Check HTTPS self signed

Tags:

I use Consul to register a web application. The web app use Java Consul client to register with check. I am able to activate TLS and encryption using a self signed CA to encrypt exchanges between consul agents and between my webapp and consul agent. But I am not able to make checks onto a HTTPS with self signed CA signed certificate.

My web application is secured and listens only on HTTPS with a self signed certificate. When I register a session with consul and provide a https://... URL for check, I am rejected:

com.orbitz.consul.ConsulException: Consul request failed with status [500]: rpc error: rpc error: Check 'service:a4cHealthCheck:172.17.0.3' is in critical state

In consul agent logs, I can see:

2016/07/23 08:24:45 [WARN] agent: http request failed 'https://172.17.0.3:8443/rest/latest/health/check': Get https://172.17.0.3:8443/rest/latest/health/check: x509: certificate signed by unknown authority

It seems that the consul agent don't accept self signed certificates for checks. How can I disable SSL verify only for checks or provide a truster for checks ?

like image 577
Xavier DEGENNE Avatar asked Jul 23 '16 08:07

Xavier DEGENNE

2 Answers

You can disabled the HTTPS checks with the property tls_skip_verify. It is described in the section HTTP of the Consul checks documentation. If you use a JSON file to configure your agent, here is an example of configuration.

{
  "services": [
    {
      "id": "instance-1",
      "name": "ManagementService",
      "address": "localhost",
      "port": 11080,
      "checks": [
        {
          "id": "api",
          "name": "HTTP API",
          "http": "https://localhost:11081/service/monitoring/ping",
          "tls_skip_verify": true,
          "interval": "5s",
          "timeout": "1s"
        }
      ]
    }
  ]
}
like image 140
Nicolas Henneaux Avatar answered Oct 12 '22 23:10

Nicolas Henneaux

Golang crypto lib have a set paths he looks for trustworthy authorities. This varies by OS, but for Linux systems you can check the following link.

https://golang.org/src/crypto/x509/root_linux.go

So, you can have your issue solved by installing your CA into the system defaults.

For how to install a root certificate, see

https://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu

or for others OS

http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

like image 39
Ulky Igor Avatar answered Oct 13 '22 00:10

Ulky Igor
Sign in to Comment

Related questions

Web Components - why <content> was replaced with <slot>
Docker container specific disk quota
Picking Out Simple Properties from Hierarchical JSON
std::mem_fn with ref_qualified member functions
PHP & MySQL: Why is this working without lock?
Unit test for a collection of anonymous JSON objects
Claims Based Authentication with OpenId Connect
"Resource Monitor" shows me more threads than the two that I wrote on my program
Datatable server-side remember checkbox "selected"
Missing suphp in Ubuntu 16.04
Testing Laravel (5.1) console commands with phpunit
Sort by subdocuments fields in mongo

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!