You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After upgrading from 1.7.2 to 1.7.4 we had a loss of communication between our Consul clients and servers. We noticed the following log lines:
Consul servers: [WARN] agent.server.rpc: Non-TLS connection attempted with VerifyIncoming set...
Consul clients: [ERROR] agent.dns: rpc error: error="rpc error getting client: failed to get conn: rpc error: lead thread didn't get connection"
Consul clients: [ERROR] agent.http: Request error: method=GET url=/v1/agent/checks from=127.0.0.1:44118 error="ACL not found"
RPC communication between our clients and servers must be over TLS and our servers are configured with verify_incoming_rpc = true. After some investigation I noticed that our clients did not have the configuration setting verify_outgoing = true. After applying this setting everything seemed fine. Do note that in previous releases the missing client setting didn't seem to be an issue.
I looked a bit into the Consul code and noticed the following commit 2f7d097 (for release 1.7.3) and specifically these lines seem interesting:
// if CAs are provided or VerifyOutgoing is set, use TLS
ifc.base.VerifyOutgoing {
returnfalse
}
I think the comment does not match the code anymore. Before this change the code was:
// if CAs are provided or VerifyOutgoing is set, use TLS
if c.caPool != nil || c.base.VerifyOutgoing {
return false
}
Now my theory is that our configuration worked with releases before 1.7.3 because of the caPool check and we do provide the CA's for the client. I do find it hard to understand why this commit has been done, so perhaps I'm mistaken...
But if I'm not: shouldn't there be a code check or remark in the migration guide stating that client configurations before 1.7.3, that do provide the CA's but do not have the verify_outgoing setting set to true, will now fail. Or perhaps I missed it.
Reproduction Steps
Steps to reproduce this issue, eg:
Upgrade from 1.7.2 to 1.7.3 (or 1.7.4)
Have a client configuration which requires TLS communication and has the following settings:
Overview of the Issue
After upgrading from 1.7.2 to 1.7.4 we had a loss of communication between our Consul clients and servers. We noticed the following log lines:
[WARN] agent.server.rpc: Non-TLS connection attempted with VerifyIncoming set...
[ERROR] agent.dns: rpc error: error="rpc error getting client: failed to get conn: rpc error: lead thread didn't get connection"
[ERROR] agent.http: Request error: method=GET url=/v1/agent/checks from=127.0.0.1:44118 error="ACL not found"
RPC communication between our clients and servers must be over TLS and our servers are configured with
verify_incoming_rpc = true
. After some investigation I noticed that our clients did not have the configuration settingverify_outgoing = true
. After applying this setting everything seemed fine. Do note that in previous releases the missing client setting didn't seem to be an issue.I looked a bit into the Consul code and noticed the following commit 2f7d097 (for release 1.7.3) and specifically these lines seem interesting:
consul/tlsutil/config.go
Lines 549 to 552 in 8b4a3d9
I think the comment does not match the code anymore. Before this change the code was:
Now my theory is that our configuration worked with releases before 1.7.3 because of the caPool check and we do provide the CA's for the client. I do find it hard to understand why this commit has been done, so perhaps I'm mistaken...
But if I'm not: shouldn't there be a code check or remark in the migration guide stating that client configurations before 1.7.3, that do provide the CA's but do not have the verify_outgoing setting set to true, will now fail. Or perhaps I missed it.
Reproduction Steps
Steps to reproduce this issue, eg:
Consul info for both Client and Server
Client info
Server info
Operating system and Environment details
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
Kernel: Linux 4.15.0-91-generic
Architecture: x86-64
Log Fragments
[WARN] agent.server.rpc: Non-TLS connection attempted with VerifyIncoming set...
[ERROR] agent.dns: rpc error: error="rpc error getting client: failed to get conn: rpc error: lead thread didn't get connection"
[ERROR] agent.http: Request error: method=GET url=/v1/agent/checks from=127.0.0.1:44118 error="ACL not found"
The text was updated successfully, but these errors were encountered: