Open KouriR opened 6 years ago
KouriR
commented
6 years ago @ezraroi to clarify, I'm looking for something similar to this: https://github.com/prometheus/consul_exporter/blob/master/consul_exporter.go#L103-L125 "http" is disabled in our instance, but https://consul.rocks/v1/agent/metrics is exposed.
KouriR
commented
6 years ago Incomplete without certificate support. {"name":"RequestError","message":"Error: unable to verify the first certificate","cause":{"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"},"error":{"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"},"options":{"uri":"https://consul.rocks:8500/v1/agent/metrics","json":true,"simple":true,"resolveWithFullResponse":false,"transform2xxOnly":false}}
lchayoun
commented
6 years ago @KouriR This error is usually when the certificate is signed using an unknown CA (knowns CA's are: https://en.wikipedia.org/wiki/Certificate_authority#Providers)
You can override the check using the NODE_TLS_REJECT_UNAUTHORIZED environment variable by setting it to "0"
KouriR
commented
6 years ago Thanks @lchayoun, I can confirm that setting NODE_TLS_REJECT_UNAUTHORIZED to "0" allows the connection to proceed, however, you may want to think about implementing some of the configuration options that the Consul client does:
https://www.consul.io/docs/commands/index.html#environment-variables
dwelch2344
commented
3 years ago Hey @ichayoun, not to necro an old topic but we just ran into this as well on a lower environment (dev vault's CA expired and ops will need a bit to get to renewing) so we're blocked unless we set NODE_TLS_REJECT_UNAUTHORIZED="0" for the entire process.
Not a big deal as it's one step in our CI pipeline, but it'd be nice to have the equivalent of CONSUL_HTTP_SSL_VERIFY for these scenarios. Any idea on how that could be implemented? Happy to contribute a PR if interest
Hi @KouriR , the telemetry data is encrypted when using TLS?