How to connect to the nomad/consul UI with tls enabled?

Question

I'm now researching the Hashistack and trying to deploy pet microservice-based project on it. I deployed Nomad and Consul clusters with Ansible roles on bare metal nodes:

https://github.com/ansible-community/ansible-consul.git (v2.5.4)
https://github.com/ansible-community/ansible-nomad.git (v1.9.6)

Servers of Nomad and Consul are placed on the same nodes.

I do not use Vault. I created separate private CA, generated TLS certificates and private keys for these services and configured Nomad and Consul servers and clients to use them.

My goal is to setup production ready Hashistack cluster. So that I want to setup full TLS for both services.

I successfully connected to both UIs via HTTP, but when I try HTTPS, I get the SSL_ERROR_BAD_CERT_ALERT error.

I'll appreciate if you suggest the best practices to operate the Hashistack in production, and what steps are required for it.

Thank you!

score 1 · Answer 1 · edited Jan 24 '22 at 18:40

1

You need first, generate a client certificate for your web brower.

Then convert it to PKCS12 format.

openssl pkcs12 -export -inkey ./nomad-cli.key -in ./nomad-cli.pem -out ./nomad-cli.p12

Let's say your are using Chrome,

Go to chrome://settings/certificates?search=certificate and import the converted certificate nomad-cli.p12.

edited Jan 24 '22 at 18:40

ouflak

2,458
10
44
49

answered Jan 24 '22 at 15:48

荒野无灯

21
1
4

score 1 · Answer 2 · answered Feb 20 '22 at 08:33

I've found answer for same case.

When nomad cluster deployed with mTLS need deploy cli keys to each server nodes or at least on the node to which you are configuring the connection.

cli keys generated by instruction https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#nomad-ca-key-pem

and nginx configured by instruction https://learn.hashicorp.com/tutorials/nomad/reverse-proxy-ui?in=nomad/manage-clusters

however this manual does not contain a description of configuring mTLS.

You need add following parameters in location /.

 location / {
    ....
    proxy_pass      https://127.0.0.1:4646;
    proxy_ssl_certificate     /etc/nomad.d/cli.pem;
    proxy_ssl_certificate_key /etc/nomad.d/cli-key.pem;
    proxy_ssl_verify              off;
    ....
}

In this case nginx can connect encrypted connection with nomad http port with TLS. Also don't forget enable http basic auth at least.

score 0 · Answer 3 · answered Aug 20 '21 at 02:23

I'm a bit late to respond, but came across the same error. Figured I'd leave my solution in case future readers find it helpful...

For me, the issue came down to the verify_https_client flag in my Nomad tls config block. Since Nomad is configured for mutual TLS, all clients (including web browsers) need to provide a client certificate signed by the same CA used by Nomad in order to connect. You'll need to generate/sign that certificate, and look up how to configure your browser to automatically provide it when needed.

For production use, that's the safest route. For a dev environment, you can just set that verify_https_client config to false in your Nomad config.

Here's a link to the Nomad docs for this flag: https://www.nomadproject.io/docs/configuration/tls#verify_https_client

Hi, how you open from web browser if verify_https_client = true ? — kholisrag, Oct 27 '21 at 07:53

How to connect to the nomad/consul UI with tls enabled?

3 Answers3