You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is essentially a feature request for the consul provider and/or the consul_keys resource to provide a means of insecurely connecting to an SSL protected consul server analogous to curl's -k|--insecure or wget's --no-check-certificate options.
Terraform Version
$ terraform -v
Terraform v0.6.16
Version is probably irrelevant, given the current documentation does not indicate this feature even exists for consul or consul_keys.
Affected Resource(s)
cosul provider
consul_keys resource
And probably other consul related resources such as consul_key_prefix.
Actual Behavior
Error applying plan:
1 error(s) occurred:
* consul_keys.jobservice: Failed to write Consul key 'service/data/elbEndpoint': Put
https://consul.myco.com/v1/kv/jobservice/data/elbEndpoint?dc=aws: x509: certificate is valid for
consul-service, not consul-myco.com
Steps to Reproduce
Set up a consul service with a self-signed cert where the CN in no way remotely resembles to actual ELB name.
Try to register a key in that consul environment.
The text was updated successfully, but these errors were encountered:
It appears this feature already exists in the aws, openstack, and rabbitmq providers. It seems that this functionality should be entirely abstracted from this level and brought up to a level to a library common to all providers.
builtin/providers/rabbitmq/provider.go seems to have the clearest code:
func providerConfigure(d *schema.ResourceData) (interface{}, error) {
...
// Configure TLS/SSL:
// Ignore self-signed cert warnings
// Specify a custom CA / intermediary cert
// Specify a certificate and key
tlsConfig := &tls.Config{}
if cacertFile != "" {
caCert, err := ioutil.ReadFile(cacertFile)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig.RootCAs = caCertPool
}
if insecure {
tlsConfig.InsecureSkipVerify = true
}
So, it appears we need to be able to set tlsConfig.InsecureSkipVerify = true somewhere. Perhaps insecure needs to be a metaparam across all providers?
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
ghost
locked and limited conversation to collaborators
Apr 10, 2020
This issue was closed.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is essentially a feature request for the
consul
provider and/or theconsul_keys
resource to provide a means of insecurely connecting to an SSL protected consul server analogous to curl's-k|--insecure
or wget's--no-check-certificate
options.Terraform Version
Version is probably irrelevant, given the current documentation does not indicate this feature even exists for
consul
orconsul_keys
.Affected Resource(s)
And probably other consul related resources such as
consul_key_prefix
.Actual Behavior
Steps to Reproduce
The text was updated successfully, but these errors were encountered: