Verification options for TLS #2587
Conversation
|
I find it completely impossible to understand the output of the test suite for this failure. Can someone help me? |
|
Hi @schmichael if you find some time can you help me understand why the test suite is failing for me, and what I might have got wrong? |
|
@weargoggles Thanks for the PR! You made my week easier. :) The only failure I see is The spirit of your PR is perfect and should work as intended, but we'd actually like to simplify the configuration a little bit: Instead of exposing That parameter should default to When Sorry for changing the goal on you and thanks again for the PR! |
|
@schmichael I've got a sort of secondary issue, which is that I have trouble health-checking nomad's HTTP API when HTTPS is enabled. My load balancer can't have a client certificate. So is there room for an optional HTTPS port, like Consul? |
There should be just one option, verify_https_client, which controls incoming and outgoing validation for the HTTPS wrapper
command/agent/http.go
Outdated
| VerifyIncoming: false, | ||
| VerifyOutgoing: true, | ||
| VerifyIncoming: config.TLSConfig.VerifyHTTPSClient, | ||
| VerifyOutgoing: config.TLSConfig.VerifyHTTPSClient, |
There was a problem hiding this comment.
This should still be hard-coded as true. If TLSConfig.EnableHTTP is set we don't want to even allow skipping server certificate verification.
Unfortunately, I think we're going to wait until we rework our networking code (binding, advertisement, IP pools, etc) to support HTTP and HTTPS. Allowing both obviously negates the benefits of your change without external firewalling. Any chance your health checks could be switched to be simple TCP connect tests? How are you planning on using a load balancer without client certificate support with Nomad? Was it just going to be for health checks / alerting? You did remind me Consul's Nomad HTTP health checks will have this same issue, so we need to switch them to a I can make that change after merging this PR if you're not a Consul user. |
|
@schmichael I'll explain a bit more clearly. My load balancer (AWS ELB) can run its health check with a different port and protocol to the one it uses as the backend. So:
I want to be able to do the same thing in Nomad; forward TCP connections (leaving TLS to Nomad) based on the health determined by a plain HTTP check. I am using Consul to bootstrap and advertise. The configuration in the Consul health check you mention works perfectly for me, and it would work even if the 'skip verification' option was not set, because the certificates I'm using are valid. Perhaps that should be configurable; but I don't know that it can be controlled by Edit: I'll keep looking through the issue list for this, and open one if I can't find it - I don't think it's on topic for this PR. |
|
@schmichael Do you consider your feedback addressed? My test failure doesn't look related to this change. |
|
Merged. Thanks @weargoggles! Created #2606 to track the other feature. |
|
This deserves its own issue but I'll mention it here in the interim.. I had Consul configured with a self-signed cert and Nomad was able to register services, but health checks would fail due to SSL verification. The I'll try to make a separate issue about this later. |
|
@shilov Consul supports |
Fixed in master! |
|
Kudos! 👍 |
verify_https_client support added in #2587
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This is my attempt at #2573
I don't know where to put the defaults?