Connect proxy sidecar, peer certificate mismatch

Hi,
I’m trying to connect two services web and db(mysql) use the tutorial in Secure Service Communication with Consul Service Mesh and Envoy | Consul - HashiCorp Learn as model.

When I try to connect from web into db got this lines on web proxy:

2021-04-07T20:56:29.207Z [ERROR] proxy.upstream: failed to dial: error="peer certificate mismatch got spiffe://b350502d-bd86-a715-6595-9260183bb7c2.consul/ns/default/dc/dc1/svc/web, want spiffe:///ns/default/dc/dc1/svc/db"

and this line on db proxy:
2021-04-07T20:56:36.991Z [ERROR] proxy.inbound: connection failed: error=EOF

I use this line to run the proxy on web:
consul connect proxy -sidecar-for web

And this line for db:
consul connect proxy -sidecar-for db_service

Thanks in advance
Nomar

Hi @kalimalrazif,

Welcome to the Forums.

Could you please share the service definitions of both web and db that you are using? Also, what version of Consul are you running?

Ok :slight_smile:

Consul v1.9.4
Revision 10bb6cb3b

web service: { "service": { "name": "web", "port": 80, "connect": { - Pastebin.com
db service: { "service": { "name": "db", "address": "127.0.0.1", "port": 3 - Pastebin.com

masters and agents configs: WEB{ "node_name": "web", "datacenter": "dc1", "domain": - Pastebin.com

Hi @kalimalrazif,

Thanks for sharing this.

You are facing this issue because in your db service definition you have set the address to 127.0.0.1.

When the web proxy looks up for the db service from the Consul catalog, it will get the loopback IP and the traffic will end up hitting the same machine instead of the db service instance on the db host.

To fix this issue, please remove "address": "127.0.0.1" from your db service definition and re-register the service. When you do this, the service will get the IP address of the Consul agent of the host from where you registered the service (in this case your db host)

Hope this helps.

Thanks!!! I will do so. I defined the ip address to 127.0.0.1 because the db service is bound to that address. There is no problem because of that?

Thanks again
Nomar

That’s ok and that’s how it should be. This is because only your sidecar proxy should be exposed outside the host and consul connect proxy will do the same for you. The sidecar proxy will proxy the traffic to your DB listening on 127.0.0.1.

1 Like

Works like a charm! <3

Thank you :slight_smile: