consul https ui

[Grant Ridder]

Hi,

I am trying to get the Consul ui setup with https.  I added the cert and key with "cert_file" and "key_file" then the cert chain with "ca_file".  Then i restarted the consul server process.  The HTTPS port is serving up the cert_file but no chain so the validation fails.

Sanitized output below

$ echo quit | openssl s_client -connect localhost:8501 | openssl x509 -text

depth=0 OU = Domain Control Validated, CN = *.example.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 OU = Domain Control Validated, CN = *.example.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 OU = Domain Control Validated, CN = *.example.com

verify error:num=21:unable to verify the first certificate

verify return:1

140612180817824:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1259:SSL alert number 42

140612180817824:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

<snip>

$

-Grant

[Grant Ridder]

Anyone have any thoughts?  Still trying to work through this

-Grant

[David Adams]

I proxy the UI via nginx on localhost, and so I don't use Consul's own TLS config. Based on the docs, I don't see an intermediate cert chain setting. The `ca_file` setting is for Consul to validate client certs and connections to other Consul agents, and so its contents wouldn't be served up to remote connections, or likely even used in establishing a non-authenticated TLS server connection. I suspect serving the UI in TLS was not the use case envisioned for those settings. That said, I can't imagine the https lib they are using doesn't allow this setting. If you need it to work right away, I'd recommend proxying with nginx or apache. If you are up to some Go coding, this ought to be a relatively simple pull request.

-dave

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/cee070d0-2cb1-4376-8536-9e7407655e9d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Grant Ridder]

Dave,

Thanks for the suggestion! I will look into that.

-Grant

To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAJ4Phq9MwpnqybsvaBCTDryAJNFu9mc8d4X%2BCZH6nkh8PHMT3w%40mail.gmail.com.

[David Adams]

Here's a partial Apache config for such a proxy (I misspoke when I said we use nginx... for Consul UI we used Apache because of some auth config piece we needed):

<VirtualHost *:443>

  ServerName consul.example.com

  SSLEngine On

  SSLCertificateFile /etc/ssl/certs/consul.example.com.crt

  SSLCertificateKeyFile /etc/ssl/private/consul.example.com.key

  SSLCertificateChainFile /etc/ssl/certs/consul.example.com.chain

  RewriteEngine On

  RewriteRule "^/(.*)$" "http://localhost:8500/$1" [P,QSA,L]

  ProxyPassReverse / http://localhost:8500/

  <Location />

    # auth configuration here

  </Location>

</VirtualHost>

There are lots of variations you can do depending on your needs, obviously.

-dave

To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAPiURgX%2Bw8tJw-MQAfHN8OqPbuEpZ_2MzZkP1uNweRKEZ%2BciSw%40mail.gmail.com.

[James Phillips]

Hi Grant,

Those configs should have been applied to the HTTPS server and allowed it to work. If you can open a Github issue with any details we will try to chase it down.

Thanks!

-- James

To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAJ4Phq-UtQ1TFqcn2evb%3DXdSt8GkZ5Gf1-4UZcmGe7XW_KN0zA%40mail.gmail.com.

[Grant Ridder]

James,

Submitted https://github.com/hashicorp/consul/issues/1986

-Grant

To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAGoWc0584Hww-Kfj_ULZuuacRQVia85YoiYwTh7rtHxZGpxrQw%40mail.gmail.com.