领事检查HTTPS自签名 [英] Consul Check HTTPS self signed
问题描述
我使用Consul注册Web应用程序。该Web应用程序使用Java Consul客户端进行支票注册。我能够使用自签名CA激活TLS和加密,以加密领事代理之间以及Webapp和领事代理之间的交换。但是我无法使用带有自签名CA签名证书的HTTPS进行检查。
I use Consul to register a web application. The web app use Java Consul client to register with check. I am able to activate TLS and encryption using a self signed CA to encrypt exchanges between consul agents and between my webapp and consul agent. But I am not able to make checks onto a HTTPS with self signed CA signed certificate.
我的Web应用程序是安全的,只能在带有自签名证书的HTTPS上侦听。当我向领事注册会话并提供https:// ... URL进行检查时,我被拒绝了:
My web application is secured and listens only on HTTPS with a self signed certificate. When I register a session with consul and provide a https://... URL for check, I am rejected:
com.orbitz.consul.ConsulException:领事请求失败,状态为[500]:rpc错误:rpc错误:检查'service:a4cHealthCheck:172.17.0.3'处于紧急状态
com.orbitz.consul.ConsulException: Consul request failed with status [500]: rpc error: rpc error: Check 'service:a4cHealthCheck:172.17.0.3' is in critical state
在领事代理日志中,我可以看到:
In consul agent logs, I can see:
2016/07/23 08:24:45 [WARN] agent: http request failed 'https://172.17.0.3:8443/rest/latest/health/check': Get https://172.17.0.3:8443/rest/latest/health/check: x509: certificate signed by unknown authority
似乎领事代理人不接受自行签署的支票证书。如何仅对支票禁用SSL验证或为支票提供信任??
It seems that the consul agent don't accept self signed certificates for checks. How can I disable SSL verify only for checks or provide a truster for checks ?
推荐答案
您可以使用该属性禁用HTTPS检查 tls_skip_verify
。 领事检查文档的HTTP部分对此进行了描述。
如果您使用JSON文件配置代理,下面是配置示例。
You can disabled the HTTPS checks with the property tls_skip_verify
. It is described in the section HTTP of the Consul checks documentation.
If you use a JSON file to configure your agent, here is an example of configuration.
{
"services": [
{
"id": "instance-1",
"name": "ManagementService",
"address": "localhost",
"port": 11080,
"checks": [
{
"id": "api",
"name": "HTTP API",
"http": "https://localhost:11081/service/monitoring/ping",
"tls_skip_verify": true,
"interval": "5s",
"timeout": "1s"
}
]
}
]
}
这篇关于领事检查HTTPS自签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!