How to connect to the nomad/consul UI with tls enabled?

Question

I'm now researching the Hashistack and trying to deploy pet microservice-based project on it. I deployed Nomad and Consul clusters with Ansible roles on bare metal nodes:

• https://github.com/ansible-community/ansible-consul.git (v2.5.4)
• https://github.com/ansible-community/ansible-nomad.git (v1.9.6)

Servers of Nomad and Consul are placed on the same nodes.

I do not use Vault. I created separate private CA, generated TLS certificates and private keys for these services and configured Nomad and Consul servers and clients to use them.

My goal is to setup production ready Hashistack cluster. So that I want to setup full TLS for both services.

I successfully connected to both UIs via HTTP, but when I try HTTPS, I get the SSL_ERROR_BAD_CERT_ALERT error.

I'll appreciate if you suggest the best practices to operate the Hashistack in production, and what steps are required for it.

Thank you!

Answer 1

I found that this answer was the correct approach for me but I wanted to add additional context concerning how I generated the cert that gets exported via the openssl command.

I issued the cert with my intermediate CA via:

vault write \
    -format=json \
    pki_int/issue/nomad \
    common_name=client.global.nomad \
    alt_names="${NOMAD_SERVER_IP},localhost" \
    > nomad-cli.json

jq -r .data.ca_chain[] nomad-cli.json > ca.pem
jq -r .data.certificate nomad-cli.json > cert.pem
jq -r .data.private_key nomad-cli.json > key.pem

openssl \
    pkcs12 -export \
    -inkey key.pem \
    -in cert.pem \
    -out browser-cert.p12 \
    -password pass:

Instead of Chrome I used Firefox and Imported the browser-cert.p12 cert file via Settings > Privacy & Security > Certificate > View Certificates > Your Certificates.

Answer 2

I've found answer for same case.

When nomad cluster deployed with mTLS need deploy cli keys to each server nodes or at least on the node to which you are configuring the connection.

cli keys generated by instruction https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#nomad-ca-key-pem

and nginx configured by instruction https://learn.hashicorp.com/tutorials/nomad/reverse-proxy-ui?in=nomad/manage-clusters

however this manual does not contain a description of configuring mTLS.

You need add following parameters in location /.

 location / {
    ....
    proxy_pass      https://127.0.0.1:4646;
    proxy_ssl_certificate     /etc/nomad.d/cli.pem;
    proxy_ssl_certificate_key /etc/nomad.d/cli-key.pem;
    proxy_ssl_verify              off;
    ....
}

In this case nginx can connect encrypted connection with nomad http port with TLS. Also don't forget enable http basic auth at least.

Answer 3

You need first, generate a client certificate for your web brower.

Then convert it to PKCS12 format.

openssl pkcs12 -export -inkey ./nomad-cli.key -in ./nomad-cli.pem -out ./nomad-cli.p12

Let's say your are using Chrome,

Go to chrome://settings/certificates?search=certificate and import the converted certificate nomad-cli.p12.

Answer 4

I'm a bit late to respond, but came across the same error. Figured I'd leave my solution in case future readers find it helpful...

For me, the issue came down to the verify_https_client flag in my Nomad tls config block. Since Nomad is configured for mutual TLS, all clients (including web browsers) need to provide a client certificate signed by the same CA used by Nomad in order to connect. You'll need to generate/sign that certificate, and look up how to configure your browser to automatically provide it when needed.

For production use, that's the safest route. For a dev environment, you can just set that verify_https_client config to false in your Nomad config.

Here's a link to the Nomad docs for this flag: https://www.nomadproject.io/docs/configuration/tls#verify_https_client