4

I'm now researching the Hashistack and trying to deploy pet microservice-based project on it. I deployed Nomad and Consul clusters with Ansible roles on bare metal nodes:

Servers of Nomad and Consul are placed on the same nodes.

I do not use Vault. I created separate private CA, generated TLS certificates and private keys for these services and configured Nomad and Consul servers and clients to use them.

My goal is to setup production ready Hashistack cluster. So that I want to setup full TLS for both services.

I successfully connected to both UIs via HTTP, but when I try HTTPS, I get the SSL_ERROR_BAD_CERT_ALERT error.

I'll appreciate if you suggest the best practices to operate the Hashistack in production, and what steps are required for it.

Thank you!

Improve this question
1
  • In case someone runs into the issue where you've configured Consul with auto_encrypt and the Nomad clients also receive "bad certificate" (or something similar) when trying to communicate with the Consul clients on localhost, then check here: discuss.hashicorp.com/t/… Commented Sep 21, 2023 at 13:54

4 Answers 4

Reset to default
7

You need first, generate a client certificate for your web brower.

Then convert it to PKCS12 format.

openssl pkcs12 -export -inkey ./nomad-cli.key -in ./nomad-cli.pem -out ./nomad-cli.p12

Let's say your are using Chrome,

Go to chrome://settings/certificates?search=certificate and import the converted certificate nomad-cli.p12.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This was the answer for me. Instead of Chrome I used Firefox and Imported this .p21 cert via Settings > Privacy & Security > Certificate > View Certificates > Your Certificates`.
2

I've found answer for same case.

When nomad cluster deployed with mTLS need deploy cli keys to each server nodes or at least on the node to which you are configuring the connection.

cli keys generated by instruction https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#nomad-ca-key-pem

and nginx configured by instruction https://learn.hashicorp.com/tutorials/nomad/reverse-proxy-ui?in=nomad/manage-clusters

however this manual does not contain a description of configuring mTLS.

You need add following parameters in location /.

 location / {
    ....
    proxy_pass      https://127.0.0.1:4646;
    proxy_ssl_certificate     /etc/nomad.d/cli.pem;
    proxy_ssl_certificate_key /etc/nomad.d/cli-key.pem;
    proxy_ssl_verify              off;
    ....
}

In this case nginx can connect encrypted connection with nomad http port with TLS. Also don't forget enable http basic auth at least.

Improve this answer

Comments

0

I'm a bit late to respond, but came across the same error. Figured I'd leave my solution in case future readers find it helpful...

For me, the issue came down to the verify_https_client flag in my Nomad tls config block. Since Nomad is configured for mutual TLS, all clients (including web browsers) need to provide a client certificate signed by the same CA used by Nomad in order to connect. You'll need to generate/sign that certificate, and look up how to configure your browser to automatically provide it when needed.

For production use, that's the safest route. For a dev environment, you can just set that verify_https_client config to false in your Nomad config.

Here's a link to the Nomad docs for this flag: https://www.nomadproject.io/docs/configuration/tls#verify_https_client

Improve this answer

3 Comments

Hi, how you open from web browser if verify_https_client = true ?
@kholisrag: See airo's answer here: stackoverflow.com/a/71192623/9602527
yeah, already solve it long time ago using nginx proxy_ssl too
0

I found that this answer was the correct approach for me but I wanted to add additional context concerning how I generated the cert that gets exported via the openssl command.

I issued the cert with my intermediate CA via:

vault write \
    -format=json \
    pki_int/issue/nomad \
    common_name=client.global.nomad \
    alt_names="${NOMAD_SERVER_IP},localhost" \
    > nomad-cli.json

jq -r .data.ca_chain[] nomad-cli.json > ca.pem
jq -r .data.certificate nomad-cli.json > cert.pem
jq -r .data.private_key nomad-cli.json > key.pem

openssl \
    pkcs12 -export \
    -inkey key.pem \
    -in cert.pem \
    -out browser-cert.p12 \
    -password pass:

Instead of Chrome I used Firefox and Imported the browser-cert.p12 cert file via Settings > Privacy & Security > Certificate > View Certificates > Your Certificates.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.