可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

I use Consul to register a web application. The web app use Java Consul client to register with check. I am able to activate TLS and encryption using a self signed CA to encrypt exchanges between consul agents and between my webapp and consul agent. But I am not able to make checks onto a HTTPS with self signed CA signed certificate.

My web application is secured and listens only on HTTPS with a self signed certificate. When I register a session with consul and provide a https://... URL for check, I am rejected:

com.orbitz.consul.ConsulException: Consul request failed with status [500]: rpc error: rpc error: Check 'service:a4cHealthCheck:172.17.0.3' is in critical state

In consul agent logs, I can see:

2016/07/23 08:24:45 [WARN] agent: http request failed 'https://172.17.0.3:8443/rest/latest/health/check': Get https://172.17.0.3:8443/rest/latest/health/check: x509: certificate signed by unknown authority

It seems that the consul agent don't accept self signed certificates for checks. How can I disable SSL verify only for checks or provide a truster for checks ?

回答1:

You can disabled the HTTPS checks with the property tls_skip_verify. It is described in the section HTTP of the Consul checks documentation. If you use a JSON file to configure your agent, here is an example of configuration.

{
  "services": [
    {
      "id": "instance-1",
      "name": "ManagementService",
      "address": "localhost",
      "port": 11080,
      "checks": [
        {
          "id": "api",
          "name": "HTTP API",
          "http": "https://localhost:11081/service/monitoring/ping",
          "tls_skip_verify": true,
          "interval": "5s",
          "timeout": "1s"
        }
      ]
    }
  ]
}