info required - Apply ACL on https consul

[wilfriedroset]

Hello

I've successfully managed to setup and configure a consul cluster.
I'm now trying to implement ACL management using puppet.
When I try to do anything related to them I end up with the following message:

consul1 ~ # puppet agent -vt --environment setup_consul  --noop
Warning: Setting 'pluginsync' is deprecated.
   (location: /usr/lib/ruby/vendor_ruby/puppet/defaults.rb:1879:in `block in <module:Puppet>')
Info: Using configured environment 'setup_consul'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Applying configuration version '1578996743'
Warning: Cannot retrieve ACL token list: Got negative API response (Code: 400, Response: Client sent an HTTP request to an HTTPS server.
)
Notice: /Stage[main]/Consul/Consul_policy[dns-request-policy]/ensure: current_value 'absent', should be 'present' (noop)
Notice: Class[Consul]: Would have triggered 'refresh' from 1 event
Notice: Stage[main]: Would have triggered 'refresh' from 1 event
Notice: Applied catalog in 8.67 seconds

All of my servers are running with only the https open on 8501 port and self-signed certificates (debian's snake-oil).
I got the same error message when I issue a http request to a https server:

consul1 ~ # curl -k http://[redacted]:8501/v1/kv
Client sent an HTTP request to an HTTPS server.

Here is my hieradata (some parts are redacted)

consul::bin_dir: /usr/bin/
consul::config_dir: /etc/consul.d
consul::pretty_config: true
consul::install_method: package
consul::package_ensure: present
consul::service_enable: true
consul::service_ensure: running
consul::extra_groups:
  - ssl-cert
consul::acl_api_hostname: "%{scope('::ipaddress_eth0')}"
consul::acl_api_protocol: https
consul::acl_api_port: 8501
consul::config_hash:
  encrypt: >
    [redacted]
  bootstrap_expect: 3
  log_level: DEBUG
  bind_addr: "%{scope('::ipaddress_eth0')}"
  client_addr: "0.0.0.0"
  datacenter: "%{scope('::zone')}"
  node_name: "%{scope('::hostname')}"
  disable_update_check: true
  disable_anonymous_signature: true
  server: true
  ui: true
  retry_join:
    - [redacted]
    - [redacted]
    - [redacted]
  ports:
    http: -1  # We dont want to expose plain http
    serf_wan: -1  # We don't want wan federation
    https: 8501
  # No need to generate self-signed certificate we can use snakeoil
  key_file: /etc/ssl/private/ssl-cert-snakeoil.key
  cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
  tls_cipher_suites: [redacted]
  acl:
    enabled: true
    default_policy: deny
    enable_token_persistence: true

consul::policies:
  dns-request-policy:
    description: "dns-requests, generated by puppet"
    rules:
      - resource: node_prefix
        segment: ""
        disposition: read
      - resource: service_prefix
        segment: ""
        disposition: read

I've managed to write a reproducer (pardon my ruby :D)

require 'net/http'
require 'uri'

insecure = false

@global_uri = URI("https://[redacted]:8501")

@http_client = Net::HTTP.new(@global_uri.host, @global_uri.port)

# Make https requests
if @global_uri.scheme == 'https'
    @http_client.use_ssl = true
end

# Don't verify the ssl
if insecure
    @http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

path = "v1/agent/members"

path = @global_uri.request_uri + path
request = Net::HTTP::Get.new(path)
response = @http_client.request(request)
response_code = response.code
puts response_code
puts response.body

As you can see, I've setted to true use_ssl when the scheme is https and
added a flag to disable SSL verification.

While reading your documentation I saw that you recommend the use of a reverse
proxy for more security. I didn't found the same recommendation within the
official documentation and I would prefer to not have to setup a reverse proxy
where consul is capable of working properly on its own.

As expected, I do not witness the same problem when consul listen for http requests.

Am I missing something which would allow me to manage the ACL using the module
through the API with self-signed SSL?

OS: Debian 10.2
consul: 1.6.2
puppet: 5.5.10
puppet-consul: 6.0.1

Thx

[lukebigum]

I've run into the same problem. The providers don't enable HTTPS support, even though the Puppet types take a protocol option.

I'm working on a patch for it in lukebigum/puppet-consul.

Give me a few days.

[lukebigum]

@wilfriedroset try the latest pushed to lukebigum/puppet-consul. I haven't got all the specs passing yet, but it appears to speak to my own Consul lab over HTTPS now though.