New to stuff, so please excuse me. This is a POC/experimental setup.
On my localhost (Macbook Pro), I have consul running as a server and a bunch of spring boot applications (one or more) trying to register their services on consul.
It works perfectly while connecting through http.
However SSL handshake is failing through https. We generated the rootCA for self-signing (consul-agent-ca) and server and client certificates through consul.
Imported the certs into ${JAVA_HOME}/lib/security/cacerts also.
Turned on javax.net.debug=ssl on the spring boot applications.
Is there any way to print out the SSL handshake logs on the consul side? That might help in why the connection is failing.
I spent a lot of time on this. So any advice would be really helpful. Thanks in advance.
Ramesh
Are you using Consul for service discovery only, or are you taking advantage of the service mesh connect as well?
The reason I ask is because if you are using service mesh connect then you don’t need to do HTTPS at the application layer. Consul will handle the HTTPS handshake between services, as long as both services are registered in the service mesh, using service mesh connect, and are allowed to communicate with each other (Consul intentions).
Thank you Karl!
“The reason I ask is because if you are using service mesh connect then you don’t need to do HTTPS at the application layer.”
I presented this possibility to our management. Yet to hear back.
But theoretically and say for learning purposes, has anyone attempted to HTTPS at the application layer with Consul. Would be interested in learning.
Thanks again.
@rmantri_work I’m not sure, most people adopt a service mesh to help offset this responsibility and focus instead on developing business logic.
Without going into “sales” mode, removing the overhead of generating/rotating certificates is a huge lift. Not to mention, you can now get away from ineffective firewall rules, and instead apply policies that focus on what services can communicate with one another. I would ask you management team this question, “Have you ever had an outage due to expired certificates?” Consul prevents these types of outages due to the automatic generation and rotation of certificates.
Hello @karl-cardenas-coding , we want to take advantage of the service mesh connect. We won’t do HTTPS at the application layer. We want to delegate to consul the HTTPS handshake between services. But it is really difficult to find an example. Could you please provide a link or something like that to help us ?
Thank you
@gharianig take a peek at this tutorial
Almost all of the Consul tutorials assume the application traffic encryption is handled by the side car.