TLS Verification with consul-backinator

Question

TLS Verification with consul-backinator

patcable opened this issue 8 years ago · comments

Hi there,

I'm running into a TLS verification error using consul-backinator. When I run the following (with and without -tls-skip-verify):

# consul-backinator backup -addr=consul.dev.blahblah:8550 -scheme https -key=vault -ca-cert=/etc/consul/tls/ca.pem
2016/12/05 16:26:29 [Error] Failed to backup key data: Get https://consul.dev.blahblah:8550/v1/kv/?consistent=&recurse=: remote error: tls: bad certificate

What's interesting is that when I run:

# openssl verify -CAfile /etc/consul/tls/ca.pem /etc/consul/tls/cert.pem
/etc/consul/tls/cert.pem: OK

Additionally, when I run openssl s_client I do get "Verify return code: 0 (ok)." I feel like the -ca-path variable is being ignored, because if I leave the -CAfile option off openssl, I do get verification errors. Is there some way to get more verbose output out of consul-backinator?

Aaron Hurt · Answer 1 · Tue Dec 06 2016 11:18:16 GMT+0800 (China Standard Time)

@patcable Could you verify your certificates for me and make sure they are set for both serverAuth and clientAuth ... I'm not able to reproduce this locally.

Using latest release version ...

charlie:temp ahurt$ consul-backinator -v
1.4

Skipping verification with no cert passed ...

charlie:temp ahurt$ consul-backinator backup -addr=test.dc1.consul:8080 -scheme=https -tls-skip-verify
2016/12/05 21:14:05 [Success] Backed up 521 keys from test.dc1.consul:8080/ to consul.bak
Keep your backup and signature files in a safe place.
You will need both to restore your data.

Passing a cert without skipping verification ...

charlie:temp ahurt$ consul-backinator backup -addr=test.dc1.consul:8080 -scheme=https -ca-cert=/opt/consul/ssl/demo-root.cer
2016/12/05 21:14:26 [Success] Backed up 521 keys from test.dc1.consul:8080/ to consul.bak
Keep your backup and signature files in a safe place.
You will need both to restore your data.

No skip and no cert ...

charlie:temp ahurt$ consul-backinator backup -addr=test.dc1.consul:8080 -scheme=https
2016/12/05 21:14:32 [Error] Failed to backup key data: Get https://test.dc1.consul:8080/v1/kv/?consistent=&recurse=: x509: certificate signed by unknown authority

Aaron Hurt · Answer 2 · Tue Dec 06 2016 11:19:19 GMT+0800 (China Standard Time)

I used the following guide referenced from the Consul docks to test the setup ...

http://russellsimpkins.blogspot.com/2015/10/consul-adding-tls-using-self-signed.html

Aaron Hurt · Answer 3 · Tue Dec 13 2016 04:39:02 GMT+0800 (China Standard Time)

Closing due to inactivity and inability to reproduce the reported issue. Please re-open if you're still experiencing issues with this feature.