spring health check with 2-way ssl is not working with consul

[Viral Patel]

Hello,

A spring boot application, using ConsulDiscovery is used to register with consul.

The "http", and one-way ssl communication is working, but "https" is failing with 2-way ssl.

Is there an option to pass client key in consul agent, which makes health check request?

I should be ale to provide sample application to test the scenario, if required.

Here are the details about consul and application: 

consul config.json

{

  "datacenter": "dev",

  "bootstrap_expect": 1,

  "data_dir": "data",

  "log_level": "trace",

  "server": true,

  "ui": true,

  "bind_addr": "192.168.68.103",

  "client_addr": "192.168.68.103",

  "ports": {

    "http": 8500

  }

}

Run consul process

$ consul agent -config-file config.json

spring boot <<application.properties>>

spring.application.name=service1

server.port=9696

server.ssl.key-store=file:/root/consul_test/cert/keystore.jks

server.ssl.key-store-password=ENC(xRPoQS3514yKsZn9Jg3ZDQ==)

server.ssl.trust-store=file:/root/consul_test/cert/truststore.jks

server.ssl.trust-store-password=ENC(xRPoQS3514yKsZn9Jg3ZDQ==)

server.ssl.key-password=ENC(xRPoQS3514yKsZn9Jg3ZDQ==)

server.ssl.enabled=true

security.user.name=ENC(im+78sdhk5zfbBafr1Xx6g==)

security.user.password=ENC(im+78sdhk5zfbBafr1Xx6g==)

server.ssl.client-auth=need
security.basic.enabled=false

spring.cloud.consul.discovery.hostname=192.168.68.103

spring.cloud.consul.discovery.scheme=https

spring.cloud.consul.host=192.168.68.103

spring.cloud.consul.port=8500

Ran below commands to add ca.cert in centos 6

[root@c6803 ~]# update-ca-trust force-enable
[root@c6803 ~]# cp /vagrant/cert/ca.cert /etc/pki/ca-trust/source/anchors/
[root@c6803 ~]# update-ca-trust extract

<<application.log>>

Registering service with consul: NewService{id='service1-9696', name='service1', tags=[], address='192.168.68.103', port=9696, enableTagOverride=null, check=Check{script='null', interval=10s, ttl=null, http=https://192.168.68.103:9696/health, tcp=null, timeout=null, deregisterCriticalServiceAfter=null, tlsSkipVerify=null}, checks=null}

<<consul-client.log>>

agent: http request failed 'https://192.168.68.103:9696/health': Get https://192.168.68.103:9696/health: remote error: tls: bad certificate

Thanks.

[James Phillips]

Sorry just closing out old threads - this was added in Consul 1.0.1 -
https://www.consul.io/docs/agent/options.html#enable_agent_tls_for_checks.

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/1e5c3e84-6a72-4363-ac92-dac6606c8620%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.