Connecting from Config Client to Config Server using self-signed certificates

[kennyk65]

Is there a way for a config client to connect to a config server if the config server is using self-signed certificates? The idea here is to use self-signed for local testing, then use real certificates in production. Is there a property on the client side that can be used to have it relax?

Client's exception, when attempting to connect to the config server, is:

2015-05-11 11:47:47.948 ERROR 41554 --- [           main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: I/O error on GET request for "https://localhost:8443/subject/subject/master":java.security.cert.CertificateException: No name matching localhost found; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found

[eugenebell]

Have you tried to run a command like the following? git config http.sslVerify false This will set the sslverify to false in the .git/config file [http] sslVerify = false

[dsyer]

If that works we can document it. I thought JGit only used $HOME/.ssh (no $HOME/.git) but I'm happy to document whatever works.

[ctatineni]

Hello,

I am having the same issue, my config server is running with self signed certificate and config clients are not able to connect to the server to get the configuration, is there a property that we can use at client side to get the properties?

[dsyer]

Did you try the .git suggestion above?

[spencergibb]

@ctatineni @kennyk65 have you tried the suggestion?

[jhiemer]

@dsyer @spencergibb I think what he means is connection of a boot application to Cloud Config Server. I am having the same issue with our private Cloud Foundry installation:

Could not locate PropertySource: I/O error on GET request for "https://config.X.X.X.X.xip.io/redis/development"

It would be really nice (also for Eureka) to have flag to ignore the certificate error.

[dsyer]

There's a shim that you can use here: https://github.com/pivotal-cf/cloudfoundry-certificate-truster. Include that dependency and set the CF_TARGET to any server that will give you the certificate.

[jhiemer]

@dsyer is it possible to configure CF_TARGET within the application.yml. Did not find anything regarding that in the repository.

[jhiemer]

Executing the application locally, with settings like that:

 "applicationConfig: [classpath:/bootstrap.yml]" : {
    "CF_TARGET" : "https://api.88.198.249.62.xip.io",
    "spring.application.name" : "app",
    "spring.profiles.active" : "development",
  },

The certificate authentication for eureka and cloud config still fails. hm. :-(

[spencergibb]

@jhiemer I'm not super familiar with it, but I believe it needs to be set as an environment variable.

[dsyer]

bootstrap.yml might work - clearly it has to be installed before any SSL communication is needed

[spencergibb]

Except it uses System.getenv https://github.com/pivotal-cf/cloudfoundry-certificate-truster/blob/f101df10dd104804af524e57c9396a181fe7b50b/src/main/java/io/pivotal/springcloud/ssl/CloudFoundryCertificateTruster.java#L79

[jabrena]

With OSX, In my user file system, I don't have that folders .ssh or .git so, how to set this attribute?

sslVerify = false

[jabrena]

In Stack overflow exist a question about it: http://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate

One solution could be:

git config --global http.sslVerify false

[jabrena]

Hi, In this example: https://github.com/spring-cloud-samples/configserver/blob/master/src/main/resources/git.properties exist a git.properties file, is it possible to indicate this kind of stuff?

Juan Antonio

[dsyer]

I don't know what the question is, but git.properties is just a generated file with git commit ids and stuff in it for the app.

[jabrena]

Hi @dsyer,

Yes, my question is how to indicate Spring Boot that the Configuration uses a Git repository with a self signed certificate. I observed that file (git.properties) in the example and I thought that exist some way to interact using that kind of file.

[dsyer]

No, git.properties is unrelated to the Config Server. I already linked to the "certificate-truster" shim jar. And there are plenty of resources on configuring ssh and git out there. We will add some documentation to Spring Cloud at some point, so your input is valuable, it's just not clear what you need.

[dsyer]

Git and SSH configuration is already mentioned in the user guide. Connecting to the config server over HTTPS is really out of the scope of Spring Cloud Config.