seems that hashi-ui (v0.15.0) doesn't honor -nomad-skip-verify flag

[pznamensky]

Hi,
I'm getting error in nomad cluster with enabled TLS auth.

hashi-ui[16012]: 14:37:41.569 connection.go:78 ▶ ERROR  [18fe0105] Unable to fetch alloc: Get https://<nomad-client-ip>:4646/v1/allocation/e4943154-b4ee-3668-a80c-f1b2994acf0a: x509: certificate is valid for 127.0.0.1, not <nomad-client-ip>

This is know issue: hashicorp/nomad#3013
I hoped that -nomad-skip-verify flag could help me. But it's not. Issue still persist.
Does this flag work?

[jippi]

it should work, can you try with the ENV key instead?

[pznamensky]

It is strange, but ENV key and cli flag influents hashi-ui in differerent ways.
Nevertheless error doesn't disappear.

The same page with ENV key:

~ # export NOMAD_SKIP_VERIFY=true
~ # hashi-ui -listen-address 0.0.0.0:3001 -nomad-address https://127.0.0.1:4646 -nomad-ca-cert /etc/nomad.d/nomad-ca.crt -nomad-client-cert /etc/nomad.d/server.global.nomad.crt -nomad-client-key /etc/nomad.d/server.global.nomad.private.key -nomad-enable  -nomad-hide-env-data -nomad-read-only                 -nomad-skip-verify

(17372) 2017/08/24 15:10:10.802330 {"level":"info","msg":"application created","context":{"app":"hashi-ui","enabled":false,"version":"1.9.0"}}       
15:10:10.802 main.go:60 ▶ INFO  -----------------------------------------------------------------------------                                        
15:10:10.802 main.go:61 ▶ INFO  |                             HASHI UI                                      |                                        
15:10:10.802 main.go:62 ▶ INFO  -----------------------------------------------------------------------------                                        
15:10:10.802 main.go:64 ▶ INFO  | listen-address        : http://0.0.0.0:3001                                |                                       
15:10:10.802 main.go:68 ▶ INFO  | server-certificate    :                                                    |                                       
15:10:10.802 main.go:69 ▶ INFO  | server-key            :                                                    |                                       
15:10:10.802 main.go:70 ▶ INFO  | proxy-address         :                                                    |                                       
15:10:10.802 main.go:71 ▶ INFO  | log-level             : info                                               |                                       
15:10:10.802 main.go:79 ▶ INFO  | nomad-enable          : true                                               |                                       
15:10:10.802 main.go:81 ▶ INFO  | nomad-read-only       : Yes                                                |
15:10:10.802 main.go:85 ▶ INFO  | nomad-address         : https://127.0.0.1:4646                             |
15:10:10.802 main.go:86 ▶ INFO  | nomad-ca-cert         : /etc/nomad.d/nomad-ca.crt                          |
15:10:10.802 main.go:87 ▶ INFO  | nomad-client-cert     : /etc/nomad.d/server.global.nomad.crt               |
15:10:10.802 main.go:88 ▶ INFO  | nomad-client-key      : /etc/nomad.d/server.global.nomad.private.key       |
15:10:10.802 main.go:89 ▶ INFO  | nomad-skip-verify     : true                                               |
15:10:10.802 main.go:90 ▶ INFO  | hide-env-data         : true                                               |
15:10:10.802 main.go:92 ▶ INFO  | nomad-skip-verify     : Yes                                                |
15:10:10.802 main.go:98 ▶ INFO  | consul-enable         : false                                              |
15:10:10.802 main.go:102 ▶ INFO  | consul-read-only     : No (Hashi-UI can change Consul state)              |
15:10:10.802 main.go:104 ▶ INFO  | consul-address       : 127.0.0.1:8500                                     |
15:10:10.802 main.go:105 ▶ INFO  | consul.acl-token     :                                                    |
15:10:10.802 main.go:107 ▶ INFO  -----------------------------------------------------------------------------
15:10:10.802 main.go:108 ▶ INFO
15:10:10.811 nomad.go:31 ▶ INFO  Starting handlers for region: global
15:10:10.812 nomad.go:51 ▶ INFO    -> Connecting to nomad
15:10:10.812 nomad.go:60 ▶ INFO    -> Starting resource watchers
15:10:10.812 main.go:122 ▶ INFO  Nomad client successfully initialized
15:10:10.812 main.go:208 ▶ INFO  Listening ...
15:10:17.416 connection.go:84 ▶ INFO  [2eb75559] Started watching alloc with id: 7d895c52-eff0-9045-c4fe-956ba7206156
15:10:17.760 connection.go:78 ▶ ERROR  [2eb75559] Unable to fetch alloc: Get https://<nomad-client-ip>:4646/v1/allocation/7d895c52-eff0-9045-c4fe-956ba7206156: remote error: tls: bad certificate

And without ENV key, but with -nomad-skip-verify flag:

~ # hashi-ui -listen-address 0.0.0.0:3001 -nomad-address https://127.0.0.1:4646 -nomad-ca-cert /etc/nomad.d/nomad-ca.crt -nomad-client-cert /etc/nomad.d/server.global.nomad.crt -nomad-client-key /etc/nomad.d/server.global.nomad.private.key  -nomad-enable -nomad-hide-env-data -nomad-read-only                 -nomad-skip-verify                                                                                                   
(17315) 2017/08/24 15:08:10.739602 {"level":"info","msg":"application created","context":{"app":"hashi-ui","enabled":false,"version":"1.9.0"}}       
15:08:10.739 main.go:60 ▶ INFO  -----------------------------------------------------------------------------                                        
15:08:10.739 main.go:61 ▶ INFO  |                             HASHI UI                                      |                                        
15:08:10.739 main.go:62 ▶ INFO  -----------------------------------------------------------------------------                                        
15:08:10.739 main.go:64 ▶ INFO  | listen-address        : http://0.0.0.0:3001                                |                                       
15:08:10.739 main.go:68 ▶ INFO  | server-certificate    :                                                    |                                       
15:08:10.739 main.go:69 ▶ INFO  | server-key            :                                                    |                                       
15:08:10.739 main.go:70 ▶ INFO  | proxy-address         :                                                    |                                       
15:08:10.739 main.go:71 ▶ INFO  | log-level             : info                                               |                                       
15:08:10.739 main.go:79 ▶ INFO  | nomad-enable          : true                                               |                                       
15:08:10.739 main.go:81 ▶ INFO  | nomad-read-only       : Yes                                                |                                       
15:08:10.739 main.go:85 ▶ INFO  | nomad-address         : https://127.0.0.1:4646                             |
15:08:10.739 main.go:86 ▶ INFO  | nomad-ca-cert         : /etc/nomad.d/nomad-ca.crt                          |
15:08:10.739 main.go:87 ▶ INFO  | nomad-client-cert     : /etc/nomad.d/server.global.nomad.crt               |
15:08:10.739 main.go:88 ▶ INFO  | nomad-client-key      : /etc/nomad.d/server.global.nomad.private.key       |
15:08:10.739 main.go:89 ▶ INFO  | nomad-skip-verify     : true                                               |
15:08:10.739 main.go:90 ▶ INFO  | hide-env-data         : true                                               |
15:08:10.739 main.go:92 ▶ INFO  | nomad-skip-verify     : Yes                                                |
15:08:10.739 main.go:98 ▶ INFO  | consul-enable         : false                                              |
15:08:10.739 main.go:102 ▶ INFO  | consul-read-only     : No (Hashi-UI can change Consul state)              |
15:08:10.739 main.go:104 ▶ INFO  | consul-address       : 127.0.0.1:8500                                     |
15:08:10.739 main.go:105 ▶ INFO  | consul.acl-token     :                                                    |
15:08:10.739 main.go:107 ▶ INFO  -----------------------------------------------------------------------------
15:08:10.739 main.go:108 ▶ INFO  
15:08:10.748 nomad.go:31 ▶ INFO  Starting handlers for region: global
15:08:10.749 nomad.go:51 ▶ INFO    -> Connecting to nomad
15:08:10.749 nomad.go:60 ▶ INFO    -> Starting resource watchers
15:08:10.749 main.go:122 ▶ INFO  Nomad client successfully initialized
15:08:10.749 main.go:208 ▶ INFO  Listening ...
15:08:23.281 connection.go:84 ▶ INFO  [1f61a791] Started watching alloc with id: 7d895c52-eff0-9045-c4fe-956ba7206156
15:08:23.636 connection.go:78 ▶ ERROR  [1f61a791] Unable to fetch alloc: Get https://<nomad-client-ip>:4646/v1/allocation/7d895c52-eff0-9045-c4fe-956ba7206156: x509: certificate is valid for 127.0.0.1, not <nomad-client-ip>

As you can see, error occurs in both cases but error messages are different:

15:10:17.760 connection.go:78 ▶ ERROR  [2eb75559] Unable to fetch alloc: Get https://<nomad-client-ip>:4646/v1/allocation/7d895c52-eff0-9045-c4fe-956ba7206156: remote error: tls: bad certificate

vs

15:08:23.636 connection.go:78 ▶ ERROR  [1f61a791] Unable to fetch alloc: Get https://<nomad-client-ip>:4646/v1/allocation/7d895c52-eff0-9045-c4fe-956ba7206156: x509: certificate is valid for 127.0.0.1, not <nomad-client-ip>

[jippi]

Okay, I think we would have to wait for upstream to get it fixed :(

[jippi]

I've build latest hashi-ui with Nomad 0.6.2 SDK, please see if that fixes it