Connect proxy sidecar, peer certificate mismatch

I’m trying to connect two services web and db(mysql) use the tutorial in Secure Service Communication with Consul Service Mesh and Envoy | Consul - HashiCorp Learn as model.

When I try to connect from web into db got this lines on web proxy:

2021-04-07T20:56:29.207Z [ERROR] proxy.upstream: failed to dial: error="peer certificate mismatch got spiffe://b350502d-bd86-a715-6595-9260183bb7c2.consul/ns/default/dc/dc1/svc/web, want spiffe:///ns/default/dc/dc1/svc/db"

and this line on db proxy:
2021-04-07T20:56:36.991Z [ERROR] proxy.inbound: connection failed: error=EOF

I use this line to run the proxy on web:
consul connect proxy -sidecar-for web

And this line for db:
consul connect proxy -sidecar-for db_service

Thanks in advance

Hi @kalimalrazif,

Welcome to the Forums.

Could you please share the service definitions of both web and db that you are using? Also, what version of Consul are you running?

Ok :slight_smile:

Consul v1.9.4
Revision 10bb6cb3b

web service: { "service": { "name": "web", "port": 80, "connect": { -
db service: { "service": { "name": "db", "address": "", "port": 3 -

masters and agents configs: WEB{ "node_name": "web", "datacenter": "dc1", "domain": -

Hi @kalimalrazif,

Thanks for sharing this.

You are facing this issue because in your db service definition you have set the address to

When the web proxy looks up for the db service from the Consul catalog, it will get the loopback IP and the traffic will end up hitting the same machine instead of the db service instance on the db host.

To fix this issue, please remove "address": "" from your db service definition and re-register the service. When you do this, the service will get the IP address of the Consul agent of the host from where you registered the service (in this case your db host)

Hope this helps.

Thanks!!! I will do so. I defined the ip address to because the db service is bound to that address. There is no problem because of that?

Thanks again

That’s ok and that’s how it should be. This is because only your sidecar proxy should be exposed outside the host and consul connect proxy will do the same for you. The sidecar proxy will proxy the traffic to your DB listening on

1 Like

Works like a charm! <3

Thank you :slight_smile: