Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Kapacitor Issue #942: HTTPS subscriptions don't work #7392

Merged
merged 2 commits into from
Oct 4, 2016

Conversation

mglazer
Copy link

@mglazer mglazer commented Oct 1, 2016

Required for all non-trivial PRs
  • Rebased/mergable
  • Tests pass
  • CHANGELOG.md updated
  • Sign CLA (if not already signed)

@mention-bot
Copy link

@mglazer, thanks for your PR! By analyzing the history of the files in this pull request, we identified @nathanielc, @jsternberg and @orthogonous to be potential reviewers.

Copy link
Contributor

@e-dard e-dard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. If you look at the httpd Config you'll see we support providing both a certificate and a private key file. When you pass these into the tls package, Go will ignore an empty private key and assume that the certificate is a PEM-encoded bundle.

This way we support both a single PEM-encoded certificate bundle, or separate certificates and private key files.

Could you make this service behave in the same way?

@mglazer
Copy link
Author

mglazer commented Oct 3, 2016

Hey @e-dard thanks for looking.

I'm not certain I understand you though. This feature doesn't need private keys to work, you just need the public key certificate to establish the trust relationship. By default, this was loading the CA Certs from where ever they lived on the current host (see: https://golang.org/src/crypto/x509/root_linux.go). I'm just supplying the configuration to load it from a different location.

@e-dard
Copy link
Contributor

e-dard commented Oct 3, 2016

@mglazer ah cool. Sorry I hadn't had my coffee this morning and immediately assumed you were using these certs for server-side stuff 😄

@nathanielc can you take a look at the PR?

Copy link
Contributor

@nathanielc nathanielc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this ready to go.

I have made two small recommendations.

Thanks for the PR!

if c.CaCerts != "" && !fileExists(c.CaCerts) {
abspath, err := filepath.Abs(c.CaCerts)
if err != nil {
return err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error should probably return something like:

fmt.Errorf("ca-certs file %s does not exist", c.CaCerts)

that way the user gets a useful error relating to the miss configuration of the CaCerts, instead of an error about not being able to determine the abspath.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I'm actually not sure when .Abs() would fail. I originally didn't have this in here, but in order to work on Windows, I had to add it.

return NewHTTP(u.String(), time.Duration(s.conf.HTTPTimeout))
case "https":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a log line here if InsecureSkipVerify is true? This way we can warn the operator that an insecure setting has been used.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Let me know if the warning is in the correct format.

@mglazer mglazer force-pushed the feature/https-subscriber branch from d7318f5 to 4101cc7 Compare October 4, 2016 04:37
@nathanielc
Copy link
Contributor

@mglazer Changes look good, just looks like there is a compilation error with the recent log message change.

services/subscriber/service.go:330: undefined: c in c.InsecureSkipVerify

@mglazer mglazer force-pushed the feature/https-subscriber branch from 4101cc7 to 1feca06 Compare October 4, 2016 18:59
@mglazer
Copy link
Author

mglazer commented Oct 4, 2016

My apologies. Fixed.

@nathanielc
Copy link
Contributor

@mglazer Thanks!

@nathanielc nathanielc merged commit 91645c0 into influxdata:master Oct 4, 2016
@timhallinflux timhallinflux added this to the 1.1.0 milestone Dec 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants