Hi,

Is it possible to peer eureka nodes over https?

I have 2 eureka nodes deployed in different hosts . I see that they are registered to each other . My micorservice has Node 1 in the configuration and registered successfully to Node1 But Node 1 is not syncing the microservice status to the peer node Node2 Same works well with HTTP

In the logs i see "bad certificate" error. So , it even possible to peer eureka nodes over https? Or Could it be an issue with my certificates?

Comment From: spencergibb

It is possible. You need to either install the certificates in the jvm (easier, but environment specifc), or configure them in the jersey client used to peer (harder, but not env specific). I've not done it before, but may someone from @csterwa's team has done it?

Comment From: csterwa

Hello @asharani-m, there are two options that we have implemented for peer replication across foundations. The first of these is what we suggest:

  1. Add the CA certs for both foundations to Java truststore for each. This should allow each side to validate the SSL certificate without error. Here is an article on doing this:

https://medium.com/@codebyamir/the-java-developers-guide-to-ssl-certificates-b78142b3a0fc

  1. This is not what we suggest but it is a way to make it work. You can write a certificate truster that will make it so SSL connections are not validated and you'll trust whatever cert comes through. This is not much better than using HTTP in the end and that is why we don't suggest it as a solution.

There is an implementation of this but as it says on that README it is highly discouraged.

https://github.com/pivotal-cf/cloudfoundry-certificate-truster

Hope this helps.

Comment From: asharani-m

@spencergibb / @csterwa Thank you for your response.

@csterwa I tried you suggestion , i see below in Eureka node ,when peer tries to sync the details of registered microservice Warning: no suitable certificate found - continuing without client authentication

Steps i followed: - Create cert for Eureka Node 1 in host1- E1 - Create cert for Eureka Node 2 in host2- E2 - Create cert for Microservice in host2 - M2 - Import E1 to keystore of Eureka Node 2 - Import E2 to keystore of Eureka Node 1 - Import M2 to keystore of Eureka Node 2, I am registering M1 to E2 - I mention the trust store and keystore location while starting application (via -Djavax.net.ssl* )

I tried multiple times , not able to figure out the issue. This could be a question w.r.t certificates. But any heads up is really appreciated Thanks

Comment From: asharani-m

@csterwa I progressed a little on this, When Eureka Node (E1) and Eureka node(E2) are started. I see SSL hand shake happening between nodes successfully . Cert Authorities: *** ServerHelloDone matching alias: eurekaqa *** Certificate chain

When i bring up microserve M2 , which is successfully registered to E2. E2 tries to sync with E1 about status of M2. During this SSL handshake between E1 and E2 , I see below error Cert Authorities: _ *** ServerHelloDone Warning: no suitable certificate found - continuing without client authentication *** Certificate chain *_

I have added the E1 cert to trust store of E2.

Comment From: Sinisterish

@csterwa I progressed a little on this, When Eureka Node (E1) and Eureka node(E2) are started. I see SSL hand shake happening between nodes successfully . Cert Authorities: *** ServerHelloDone matching alias: eurekaqa *** Certificate chain

When i bring up microserve M2 , which is successfully registered to E2. E2 tries to sync with E1 about status of M2. During this SSL handshake between E1 and E2 , I see below error Cert Authorities: _ *** ServerHelloDone Warning: no suitable certificate found - continuing without client authentication *** Certificate chain *_

I have added the E1 cert to trust store of E2.

I currently experience similar issue, We have two separate eureka nodes (different EC2's) with their certificates imported into the machine jvm, other services can successfully send heart bit to eureka but replication between eureka nodes fails with bad_certificate

Comment From: asharani-m

@Sinisterish I could not resolve this yet. @spencergibb / @csterwa :Any suggestions?

Comment From: csterwa

Hello @asharani-m, there are two steps where I think the wrong cert was imported into the Java truststore. Instead of the generated cert being imported into the Java truststore, the Certificate Authority (CA) cert that was used to generate the certificate should be imported into the other Java truststore. The idea is that it is made available to validate the cert during the handshake. I think this may be the issue. Can you try this and let us know if that is the case?

Comment From: asharani-m

@csterwa I used self signed certificate. What is "the Certificate Authority (CA) cert that was used to generate the certificate" in this case?

Comment From: csterwa

@asharani-m I see. This changes everything. I had thought you were using a generated certificate from a trusted Certificate Authority. Self-signed certificates are less secure since they are not validated with a third party CA.

For a self-signed certificate, there is a need to add the trusted cert to the truststore of the JVM. Here is a sample of how to add it each certificate to the truststore of the other side's JVM:

https://stackoverflow.com/questions/2893819/accept-servers-self-signed-ssl-certificate-in-java-client

Comment From: spring-cloud-issues

Closing due to age of the question. If you would like us to look at this issue, please comment and we will look at re-opening the issue.