Adding ability to skip cert verification on HTTPS checks #1897
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds support for a new environment variable `CONSUL_CHECK_HTTP_SSL_SKIP_VERIFY`, which will cause TLS cert verification to be skipped when performing HTTPS service checks. Right now, if I try to do an HTTP check against an `https://<private_ip>` URL, the check will fail with something like: ``` ... x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs ``` Sometimes it's not possible to use the FQDN that the cert is valid for, because it may be (for example) fronted by a load-balancer, whereas we want to check the particular instance of a service. Signed-off-by: Dave Henderson <dhenderson@gmail.com>
|
Hi @hairyhenderson thanks for the PR! Instead of an environment variable that applies to all checks it seems like this would be better as a new Boolean field in https://github.com/hashicorp/consul/blob/master/command/agent/check.go#L43 so it could be configured per-check. If the sense of the field is "skip" then it will default to |
|
Thanks for the feedback, @slackpad - that's a good idea. I'll incorporate that :) |
|
Thanks @hairyhenderson, appreciate the contribution! I'm going to close this in favor of #1984. I agree with @slackpad that this fits better as a parameter of the check definition. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for a new environment variable
CONSUL_CHECK_HTTP_SSL_SKIP_VERIFY, which will cause TLS certverification to be skipped when performing HTTPS service checks.
Right now, if I try to do an HTTP check against an
https://<private_ip>URL, the check will fail with something like:Sometimes it's not possible to use the FQDN that the cert is valid for,
because it may be (for example) fronted by a load-balancer, whereas we
want to check the particular instance of a service.
Signed-off-by: Dave Henderson dhenderson@gmail.com