{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《Consul Check HTTPS self signed》','https://www.manongdao.com/q-1360871.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I use Consul to register a web application. The web app use Java Consul client to register with check. I am able to activate TLS and encryption using a self signed CA to encrypt exchanges between consul agents and between my webapp and consul agent. But I am not able to make checks onto a HTTPS with self signed CA signed certificate.
My web application is secured and listens only on HTTPS with a self signed certificate. When I register a session with consul and provide a https://... URL for check, I am rejected:
com.orbitz.consul.ConsulException: Consul request failed with status [500]: rpc error: rpc error: Check 'service:a4cHealthCheck:172.17.0.3' is in critical state
In consul agent logs, I can see:
2016/07/23 08:24:45 [WARN] agent: http request failed 'https://172.17.0.3:8443/rest/latest/health/check': Get https://172.17.0.3:8443/rest/latest/health/check: x509: certificate signed by unknown authority
It seems that the consul agent don't accept self signed certificates for checks. How can I disable SSL verify only for checks or provide a truster for checks ?
Golang crypto lib have a set paths he looks for trustworthy authorities. This varies by OS, but for Linux systems you can check the following link.
https://golang.org/src/crypto/x509/root_linux.go
So, you can have your issue solved by installing your CA into the system defaults.
For how to install a root certificate, see
https://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu
or for others OS
http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
You can disabled the HTTPS checks with the property
tls_skip_verify. It is described in the section HTTP of the Consul checks documentation. If you use a JSON file to configure your agent, here is an example of configuration.