I am a noob with Consul trying to set it up for service discovery in our platform at my company where services already talk to each other over mutual SSL.
After registering these services in Consul and using DNS for discovery, I get an SSL handshake error…
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <my-api.service.consul> doesn't match any of the subject alternative names: [platform.local, 192.168.99.100]
…which is expected because the certificate in use doesn’t have the consul DNS in the SAN list.
I am interested to know what’s the best practice here to solve this issue? I can think of below options:
- Should I use a different certificate that has the consul DNS in SAN list? It is inconvenient and doesn’t seem scalable.
- Use HTTP API instead of DNS for discovery. Since we use a custom orchestrator, I find DNS to be very flexible for service discovery. HTTP API based discovery would require parsing the response to extract the address.
- Use Consul Connect Service Mesh? Is this problem the right use case for Connect service mesh? It adds more complexity so I want to be sure if this is the right way to go.
- Some other way… ?
Looking forward to hearing some opinions!