Nomad: Nomad client doesn't register consul healthchecks when configured with TLS

Created on 28 Dec 2016  路  6Comments  路  Source: hashicorp/nomad

Nomad version

0.5.2

Operating system and Environment details

Ubuntu 14.04, 16.04

Issue

When using nomad without configured TLS following healthchecks will be registered with Consul:
Server: http, rpc, serf
Client: http

When using TLS (http and rpc) http healthcheck isn't registered which causes nomad-client service not being registered at all.
Server: rpc, serf
Client: /

tls {
  http = true
  rpc = true
  ca_file = "..."
  cert_file = "..."
  key_file = "..."
}

consul {
  address = "127.0.0.1:8500"
  auto_advertise = true
  checks_use_advertise = false
  server_auto_join = true
  client_auto_join = true
  server_service_name = "nomad-server"
  client_service_name = "nomad-client"
  ca_file = "..."
  cert_file = "..."
  key_file = "..."
}
themdiscovery themtls typbug
Source
picture jzvelc
👍2

Most helpful comment

Hey @jzvelc, we disabled since earlier versions of Consul did not support TLSSkipVerify which is problematic. Now that 0.7.2 is out we can tackle this

picture dadgar on 3 Jan 2017
👍2

All 6 comments

did you try passing ssl = true to the consul stanza so that it actually tries to use SSL when reaching out to Consul?

c4milo picture c4milo on 28 Dec 2016

I don't think this is related since I don't have TLS configured for consul which is related to another issue (#2002).

jzvelc picture jzvelc on 29 Dec 2016

Oh, I see. I checked my clusters and I don't seem to be running into this issue, I guess because I allow the local consul agent to be accessed over HTTP on 127.0.0.1, but it still uses TLS for remote RPC and symmetric encryption for Serf.

c4milo picture c4milo on 29 Dec 2016

@c4milo This is exactly what I currently have until this issue is resolved.

jzvelc picture jzvelc on 3 Jan 2017

Hey @jzvelc, we disabled since earlier versions of Consul did not support TLSSkipVerify which is problematic. Now that 0.7.2 is out we can tackle this

dadgar picture dadgar on 3 Jan 2017
👍2

In Nomad 0.6 the nomad-client service will be registered regardless of whether the check is or not.

The check is registered if tls.verify_https_clients = false in Nomad and Consul version >= 0.7.2. Since Consul doesn't currently support per-check client certificates we can't enable checks when using verify_https_clients.

schmichael picture schmichael on 1 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Garagoth picture Garagoth  路  3Comments
byronwolfman picture byronwolfman  路  3Comments
mancusogmu picture mancusogmu  路  3Comments
ashald picture ashald  路  3Comments
clinta picture clinta  路  3Comments