Using consul members with tls verify_incoming

[Gavin Sandie]

Hello,

 

I’d like to switch verify_incoming to true, however when I do this I found that commands such as “consul members” stop working. I cannot see how I am able to configure the cert, key, ca files to use with these commands. The help flags don’t list anything (consul members –help) and I cannot see anything on the documentation site.

 

$ consul --version

Consul v0.8.0

Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

 

$ grep verify_incoming /etc/consul/consul.conf

  "verify_incoming": true,

 

$ export CONSUL_HTTP_ADDR=example-server.example.com:8080

$ export CONSUL_HTTP_SSL=true

 

$ consul members

Error retrieving members: Get https://example-server.example.com:8080/v1/agent/members: remote error: tls: bad certificate

 

As far as I can tell the certificates and keys are ok as I am able to connect with openssl s_client and make queries.

 

$ /usr/bin/openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect example-server:8080 -cert ./example-server.example.com.crt -key ./example-server.example.com.key

 

 

Are there some settings or environment variables I need to use to get commands such as consul members to work while using tls verify_incoming?

 

Cheers, Gavin

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.

[Miguel Terrón]

Gavin, you can check https://github.com/mterron/consul for a fully encrypted consul example. In the repo you'll find server and client certs and config file. There's also a Dockerfile.

Cheers

[James Phillips]

Hi Gavin,

Support for client certs was missing, so these commands won't work
with verify_incoming turned on now that the old RPC interface is
deprecated. A PR went in today to add this, so support will roll out
in the next release (hopefully next Monday).

https://github.com/hashicorp/consul/pull/2914

-- James

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/331A4E8A-42E9-4FF1-A74E-535A38D7FE7A%40ig.com.
> For more options, visit https://groups.google.com/d/optout.

[Gavin Sandie]

Hi James,

Sorry for the delayed reply. That’s great, thanks. I’ll update to 0.8.1 and give it a test.

Cheers, Gavin

To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAGoWc04%2BXazURC4DsU8NUFWg3faA4oHKC%2BPYsnjaAac4AM0Pjg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.