Sensu-Go TLS and security configuration


#1

Hi, we’re trying to get our sensu-go backend up and running with TLS. I can’t get the peers to talk over etcd. I’m not using an external etcd cluster and I’m getting malformed net/http which makes me think it’s trying to communicate over http on an https endpoint. Any thoughts to this regard or an example backend.yml would help.

The error I’m trying to solve is the following:

My existing backend.yml is the following:

The certs I’m using have the CN of Agent and the IP SANs for both nodes in the cluster. (I have a 3rd unconfigured node). These are self-signed certs from our Hashicorp vault CA. All nodes are Ubuntu 18.04 running Sensu-Go 5.1. I’m most concerned I’m missing a “hidden” configuration parameter.


#2

I’ve recently tried changing the cluster token to spawn a new etcd raft db and I’ve also shut down the cluster and deleted the existing data store to ensure there are no old messages floating around. I’ve also added etcd-client-cert-auth: true to the backend.yml to no effect.

The cluster does bootstrap if I comment out all of the TLS config lines (lines 23-35) and change all the endpoints to HTTP.


#3

Hello @Darth.Scrumlord,

Looking over your configuration, nothing is immediately standing out to me as incorrect.

Here is a backend.yml that works for me:

---
##
# general configuration
##
state-dir: "/var/lib/sensu/sensu-backend"

##
# agent configuration
##
#agent-host: "[::]" # listen on all IPv4 and IPv6 addresses
#agent-port: 8081

##
# api configuration
##
#api-host: "[::]" # listen on all IPv4 and IPv6 addresses
#api-port: 8080
api-url: "https://10.0.0.1:8080"


##
# dashboard ssl configuration
##
cert-file: "/etc/sensu/certs/backend-1.pem"
key-file: "/etc/sensu/certs/backend-1-key.pem"
trusted-ca-file: "/etc/pki/ca-trust/source/anchors/ca.pem"

##
# etcd ssl configuration
##
etcd-cert-file: "/etc/sensu/certs/backend-1.pem"
etcd-key-file: "/etc/sensu/certs/backend-1-key.pem"
etcd-trusted-ca-file: "/etc/pki/ca-trust/source/anchors/ca.pem"
etcd-client-cert-auth: true

etcd-peer-cert-file: "/etc/sensu/certs/backend-1.pem"
etcd-peer-key-file: "/etc/sensu/certs/backend-1-key.pem"
etcd-peer-trusted-ca-file: "/etc/pki/ca-trust/source/anchors/ca.pem"
etcd-peer-client-cert-auth: true
#insecure-skip-tls-verify: false

##
# store configuration for backend-1/10.0.0.1
##

etcd-listen-client-urls: "https://10.0.0.1:2379"
etcd-advertise-client-urls: "https://10.0.0.1:2379"
etcd-listen-peer-urls: "https://10.0.0.1:2380"
etcd-initial-cluster: "backend-1=https://10.0.0.1:2380,backend-2=https://10.0.0.2:2380,backend-3=https://10.0.0.3:2380"
etcd-initial-advertise-peer-urls: "https://10.0.0.1:2380"
etcd-initial-cluster-state: "new"
#etcd-initial-cluster-token: "sensu"
etcd-name: "backend-1"

##
# dashboard configuration
##
#dashboard-host: "[::]" # listen on all IPv4 and IPv6 addresses
#dashboard-port: 3000

##
# other
##
#config-file: ""
#debug: false
#deregistration-handler: ""
#log-level: "warn"

The only difference I see is the value for state-dir being /var/lib/sensu/sensu-backend in my example.

What operating system are the backends running on? Your certs could also be the source. I know the error you are getting, as I’ve ran into myself a few times for different reasons.

Regards,
Richard.


#4

All of the backends are running Ubuntu 16.04 currently. I just recreated all the instances the other day and i’ve moved the state-dir to /var/lib/sensu/sensu-backend since that’s now the default with 5.1.1. I was having plenty of problems getting the cluster to talk even without TLS after doing some additional tests.

Now i have 2 members talking without TLS with new hosts and new data store. I’ll try to convert it to TLS again and see what happens.