Consul Connect certificates with subject: [NONE]

marknl · March 28, 2023, 10:07am

I’m trying to get this whoami example to work on our Nomad/Consul setup.

traefik-tech-blog/hashicorp-webinar/blob/main/jobs/whoami-connect.nomad

job "whoami" {
  datacenters = ["dc1"]

  group "whoami" {
    count = 2

    network {
      mode = "bridge"

      port "web" {}
    }

    service {
      name = "whoami"
      port = "web"

      connect {
        sidecar_service {}
      }

This file has been truncated. show original

The example with just Traefik (no Connect) works fine and I can access the whoami service. But when I enable Connect, and I try to access it. I receive a “Bad Gateway”, ok, check intentions, I have made a All → All intention to make sure ACL’s aren’t in the way. I still receive Bad Gateway.

Traefik shows:

time="2023-03-28T09:56:18Z" level=debug msg="'502 Bad Gateway' caused by: remote error: tls: expired certificate"
192.168.1.2 - - [28/Mar/2023:09:56:18 +0000] "GET / HTTP/1.1" 502 11 "-" "-" 51805 "whoami@consulcatalog" "https://192.168.1.10:31099" 1ms

When asking the connect proxy, I get:

[mark@host ~]$ curl -kv https://192.168.1.10:31099
* Rebuilt URL to: https://192.168.1.10:31099/
*   Trying 192.168.1.10...
* TCP_NODELAY set
* Connected to 192.168.1.10 (192.168.1.10) port 31099 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: [NONE]
*  start date: Mar 28 09:33:52 2023 GMT
*  expire date: Mar 31 09:33:52 2023 GMT
*  issuer: CN=pri-1n2hsj7d.consul.ca.962af34f.consul
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* SSL_write() returned SYSCALL, errno = 32
* Failed sending HTTP request
* Connection #0 to host 192.168.1.10 left intact
curl: (55) SSL_write() returned SYSCALL, errno = 32

Cert is still valid at this time, but why is the “subject” set to “[NONE]”?

marknl · March 31, 2023, 11:12am

I got this working on a test setup. So the fact the Connect service doesn’t work is related to something else and I haven’t figured it out yet.

On the test setup I also see an subject “[NONE]”, which is still strange to me why this occurs.