Comments (3)
We experienced this as well when we went to v7.1.0.
I think whats happening is that if you are using the ops files from concourse-bosh-deployment to add tls to your web instance_group:
Then the atc_tls cert has a ca part in credhub, which means CONCOURSE_TLS_CA_CERT
is set to the ca, making concourse then expect a client cert signed by that ca.
In our case - we were using a reverse proxy in front of concourse, so for now we've just configured it to do what concourse now wants and send a valid client cert to the concourse web backend.
If you're not using a reverse proxy and are accessing concourse web directly, I'd assume the normal practice would be to use a real cert for atc_tls, in which case people might not have the ca part set when uploading it to credhub, and it might be all good.
It kind of feels like to me it'd be simpler for operators to allow them to explicitly enable requiring client cert in a separate property, instead of just toggling based on the presence of the ca part.
from concourse-bosh-release.
Thank you @bg-govau. We dont have a reverse proxy in front of our concourse-web so we are using a custom-ops file to have the atc_tls ca removed from the web-nodes manifest for the 7.1.x deployment.
from concourse-bosh-release.
Experienced this as well. Our fix:
bosh -d credhub manifest > credhub.yml
Modified manifest from
tls:
bind_port: 443
cert: ((atc_tls))
To
tls:
bind_port: 443
cert:
certificate: ((atc_tls.certificate))
private_key: ((atc_tls.private_key))
bosh -d concourse deploy concourse.yml
from concourse-bosh-release.
Related Issues (20)
- Expose NewRelic insights url
- Conjur Credential Manager web spec configuration is invalid
- Concourse version 6.0.0 upgrade error
- Upgrade registry-image resource to 0.10.0 HOT 2
- Garden properties are always included even when using containerd runtime
- Go 1.15 breaks LDAP integration with AD controllers due to CN x509 field deprecation
- Gdn assets are not updated on upgrade HOT 2
- base_resource_type_defaults does not start concourse if you set
- expose baggageclaim bind_ip property to support p2p streaming
- Load balancing on web servers
- Increase systemd TasksMax to prevent "fork rejected by pids controller" errors HOT 1
- database backup through bbr feature fails randomly with concourse 7.2 HOT 1
- Explore Concourse running on Jammy jellyfish HOT 2
- Failed to open connector cf, unknown connector type HOT 2
- Failed to open connector cf, unknown connector type HOT 1
- unable to authenticate with Hashicorp Vault using approle HOT 1
- Check that windows workers have config parity with linux workers
- Add contributing guide HOT 4
- bbr-atcdb job doesn't produce a valid bbr-sdk config.json when using bosh links
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from concourse-bosh-release.