-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Kapacitor Issue #942: HTTPS subscriptions don't work #7392
Fix Kapacitor Issue #942: HTTPS subscriptions don't work #7392
Conversation
@mglazer, thanks for your PR! By analyzing the history of the files in this pull request, we identified @nathanielc, @jsternberg and @orthogonous to be potential reviewers. |
ba08df5
to
d7318f5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. If you look at the httpd
Config you'll see we support providing both a certificate and a private key file. When you pass these into the tls package, Go will ignore an empty private key and assume that the certificate is a PEM-encoded bundle.
This way we support both a single PEM-encoded certificate bundle, or separate certificates and private key files.
Could you make this service behave in the same way?
Hey @e-dard thanks for looking. I'm not certain I understand you though. This feature doesn't need private keys to work, you just need the public key certificate to establish the trust relationship. By default, this was loading the CA Certs from where ever they lived on the current host (see: https://golang.org/src/crypto/x509/root_linux.go). I'm just supplying the configuration to load it from a different location. |
@mglazer ah cool. Sorry I hadn't had my coffee this morning and immediately assumed you were using these certs for server-side stuff 😄 @nathanielc can you take a look at the PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this ready to go.
I have made two small recommendations.
Thanks for the PR!
if c.CaCerts != "" && !fileExists(c.CaCerts) { | ||
abspath, err := filepath.Abs(c.CaCerts) | ||
if err != nil { | ||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error should probably return something like:
fmt.Errorf("ca-certs file %s does not exist", c.CaCerts)
that way the user gets a useful error relating to the miss configuration of the CaCerts, instead of an error about not being able to determine the abspath.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I'm actually not sure when .Abs() would fail. I originally didn't have this in here, but in order to work on Windows, I had to add it.
return NewHTTP(u.String(), time.Duration(s.conf.HTTPTimeout)) | ||
case "https": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add a log line here if InsecureSkipVerify is true? This way we can warn the operator that an insecure setting has been used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Let me know if the warning is in the correct format.
d7318f5
to
4101cc7
Compare
@mglazer Changes look good, just looks like there is a compilation error with the recent log message change.
|
4101cc7
to
1feca06
Compare
My apologies. Fixed. |
@mglazer Thanks! |
Required for all non-trivial PRs