search

hashicorp / consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
https://www.hashicorp.com/
Mozilla Public License 2.0
4.76k stars 783 forks source link

TLS validation error since v 0.19.4 on Alpine Linux 3.6 #1041

Open bhuisgen opened 6 years ago

bhuisgen commented 6 years ago

Consul Template version

0.19.4

Command

consul-template -once -consul-addr 172.30.0.1:8501 -consul-ssl -consul-ssl-ca-cert /etc/consul.d/ssl/ca.pem -consul-ssl-cert /etc/consul.d/ssl/client.pem -consul-ssl-key /etc/consul.d/ssl/client-priv-key.pem -consul-ssl-server-name server.local.my.domain

Debug output

2017/11/06 11:08:41.316026 [ERR] (cli) kv.get(config/value): Get https://172.30.0.1:8501/v1/kv/config/value?stale=&wait=60000ms: x509: certificate is not valid for any names, but wanted to match server.local.my.domain
openssl s_client -connect 172.30.0.1:8501 -verify 3 -CAfile /etc/consul.d/ssl/ca.pem -cert /etc/consul.d/ssl/client.pem -key /etc/consul.d/ssl/client-priv-key.pem
Timeout   : 300 (sec)
Verify return code: 0 (ok)

Expected behavior

TLS validation success

Actual behavior

TLS validation failed

Using consul-template 0.19.3, valiation is working well.

References

I have the same problem with server connections (RPC) since consul 1.0.0 https://github.com/hashicorp/consul/issues/3613

sethvargo commented 6 years ago

Hi @bhuisgen

Thank you for opening an issue. Consul Template consumes Consul's API client library upsteam. Given hashicorp/consul#3613, I believe the issue is upsteam and we inherited it when we updated to the latest bundled version of Consul (which is post 1.0.0). I'll keep this issue open, but I think the fix is going to be upstream. Sorry!