领事检查HTTPS自签名 [英] Consul Check HTTPS self signed

问题描述

我使用Consul注册Web应用程序。该Web应用程序使用Java Consul客户端进行支票注册。我能够使用自签名CA激活TLS和加密，以加密领事代理之间以及Webapp和领事代理之间的交换。但是我无法使用带有自签名CA签名证书的HTTPS进行检查。

I use Consul to register a web application. The web app use Java Consul client to register with check. I am able to activate TLS and encryption using a self signed CA to encrypt exchanges between consul agents and between my webapp and consul agent. But I am not able to make checks onto a HTTPS with self signed CA signed certificate.

我的Web应用程序是安全的，只能在带有自签名证书的HTTPS上侦听。当我向领事注册会话并提供https：// ... URL进行检查时，我被拒绝了：

My web application is secured and listens only on HTTPS with a self signed certificate. When I register a session with consul and provide a https://... URL for check, I am rejected:

com.orbitz.consul.ConsulException：领事请求失败，状态为[500]：rpc错误：rpc错误：检查'service：a4cHealthCheck：172.17.0.3'处于紧急状态

com.orbitz.consul.ConsulException: Consul request failed with status [500]: rpc error: rpc error: Check 'service:a4cHealthCheck:172.17.0.3' is in critical state

在领事代理日志中，我可以看到：

In consul agent logs, I can see:

2016/07/23 08:24:45 [WARN] agent: http request failed 'https://172.17.0.3:8443/rest/latest/health/check': Get https://172.17.0.3:8443/rest/latest/health/check: x509: certificate signed by unknown authority

似乎领事代理人不接受自行签署的支票证书。如何仅对支票禁用SSL验证或为支票提供信任？？

It seems that the consul agent don't accept self signed certificates for checks. How can I disable SSL verify only for checks or provide a truster for checks ?

推荐答案

您可以使用该属性禁用HTTPS检查 tls_skip_verify 。 领事检查文档的HTTP部分对此进行了描述。
如果您使用JSON文件配置代理，下面是配置示例。

You can disabled the HTTPS checks with the property tls_skip_verify. It is described in the section HTTP of the Consul checks documentation. If you use a JSON file to configure your agent, here is an example of configuration.

{
  "services": [
    {
      "id": "instance-1",
      "name": "ManagementService",
      "address": "localhost",
      "port": 11080,
      "checks": [
        {
          "id": "api",
          "name": "HTTP API",
          "http": "https://localhost:11081/service/monitoring/ping",
          "tls_skip_verify": true,
          "interval": "5s",
          "timeout": "1s"
        }
      ]
    }
  ]
}

这篇关于领事检查HTTPS自签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！