Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retrieving stats from CLI doesn't properly support TLS #3013

Closed
schmichael opened this issue Aug 12, 2017 · 9 comments · Fixed by #3127
Closed

Retrieving stats from CLI doesn't properly support TLS #3013

schmichael opened this issue Aug 12, 2017 · 9 comments · Fixed by #3127
Assignees
@schmichael
Labels
theme/cli theme/tls type/bug

Comments

@schmichael
Copy link
Member

I think this is a similar bug as #2490.

Original report by @pznamensky:

I've found that at least nomad alloc-status $alloc-id doesn't work as expected (for me).

~ $ nomad alloc-status e90647d0
ID = e90647d0
Eval ID = f693f405
....

Couldn't retrieve stats (HINT: ensure Client.Advertise.HTTP is set): Get https://$alloc-ip:4646/v1/client/allocation/e90647d0-6dda-545b-4c48-69094ec65b06/stats: x509: certificate is valid for 127.0.0.1, not $alloc-ip

Task "redis" is "running"
Task Resources
CPU Memory Disk IOPS Addresses
500 MHz 256 MiB 300 MiB 0 db: $alloc-ip:27590

Task Events:
...

This doesn't work in case of using cli or client certs.
Is this expected behavior?
@schmichael schmichael self-assigned this Aug 12, 2017
@schmichael schmichael mentioned this issue Aug 12, 2017
Merged
@dsolsona
Copy link

I'm having the same issue.

Also node-status seems to be affected as well

nomad node-status e7682fec

error fetching node stats (HINT: ensure Client.Advertise.HTTP is set): Get https://172.28.1.138:4646/v1/client/stats: x509: certificate is valid for 127.0.0.1, not 172.28.1.138

@schmichael
Copy link
Member Author

@dsolsona Thanks for the report! The good news its it's the same underlying call in the api package not correctly handling TLS in both cases. Still hoping to fix by 0.6.1.

@jippi jippi mentioned this issue Aug 24, 2017
Closed
@pznamensky pznamensky mentioned this issue Aug 24, 2017
Closed
schmichael added a commit that referenced this issue Aug 28, 2017
@schmichael
Fix TLS support in api pkg / cli
1bb8a54 
Fixes #3013

It's a little weird that Client now has a method for returning a
NewClient, but it's a convenient way to dedupe the logic to
connect-directly-to-a-node which is nontrivial and had sutble
differences between locations.
@schmichael schmichael mentioned this issue Aug 28, 2017
Merged
@pznamensky
Copy link

Thanks!

@dsolsona
Copy link

Hi @schmichael

I've tested Nomad 0.6.2 and now I'm getting a completely different error

Couldn't retrieve stats (HINT: ensure Client.Advertise.HTTP is set): Get https://10.91.89.3:4646/v1/client/allocation/a02a19be-6824-851c-db49-6297f3138045/stats: x509: certificate is valid for client.aws.nomad, localhost, not client..nomad

It seems that somehow the region is getting lost based on the log output.

On the Nomad client I'm seeing

http: TLS handshake error from 10.91.70.24:48172: remote error: tls: bad certificate

Both servers and clients have the right region in them and the certificates were created with the right region too.

If you think this issue is not the best place to discuss this I can create a new one or move this to the mailing list, but it seems kind of related to the latest Nomad release (0.6.2)

@dadgar dadgar reopened this Aug 29, 2017
dadgar added a commit that referenced this issue Aug 29, 2017
@dadgar
Fix TLSServerName for Node API Client
4d3b75d 
This PR fixes the construction of the TLSServerName when connecting to a
node that has TLS enabled and adds tests for all possible permutations.

Fixes #3013
@dadgar dadgar mentioned this issue Aug 29, 2017
Merged
@dadgar
Copy link
Contributor

dadgar commented Aug 29, 2017

@dsolsona Can you test this binary:
nomad.zip

You would only need to replace it for the CLI. No need to change server/client binaries.

@dsolsona
Copy link

Hi @dadgar

I've tested the binary and now I get

Couldn't retrieve stats (HINT: ensure Client.Advertise.HTTP is set): Get https://10.91.89.3:4646/v1/client/allocation/119c1280-4720-a27e-aac8-18a83faa4385/stats?region=global: x509: certificate is valid for client.aws.nomad, localhost, not client.global.nomad

Still using the wrong region, but at least now it uses a region ;)

@dadgar
Copy link
Contributor

dadgar commented Aug 30, 2017

@dsolsona Did you set the region to aws? You have two ways

  1. export NOMAD_REGION=aws
  2. nomad node-status -region=aws <id>

@dsolsona
Copy link

Oh right, exporting NOMAD_REGION does work flawlessly

I guess I was expecting it would read the region from the nomad configuration file.

Thanks for fixing this so quickly!

@github-actions
Copy link

github-actions bot commented Dec 8, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@schmichael schmichael

Labels
theme/cli theme/tls type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix TLSServerName for Node API Client hashicorp/nomad
4 participants
@schmichael @dsolsona @dadgar @pznamensky