You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When there's a single invalid certificate in the consul certificate store in use by fabio, all the other certificates in the store will not be refreshed.
Upon a fresh start of fabio (like a server reboot), this causes no single ssl endpoint to function anymore.
Steps to reproduce
We're running fabio using the fabiolb/fabio:latest image from dockerhub on a nomad cluster as system job (running on every worker node).
First off, here's the used config loaded into /etc/fabio/fabio.properties within the container from a nomad template:
The certificates are loaded into /certs within consul as bundles, so /certs/example.com.pem contains the full chain including the private key.
To replicate the issue, insert a single certificate where the private key does not match the certificate. This will result in fabio not loading any certificates.
Expected result
Fabio to load all valid certificates, and ignore/skips the invalid certificates, allowing domains where valid certificates are available for to continue to function.
Actual result
Fabio refuses to load or update any certificate, causing all services it's loadbalancing to fail upon ssl initialization because it fails to find a valid certificate for the servername indicated by SNI.
The text was updated successfully, but these errors were encountered:
Summary
When there's a single invalid certificate in the consul certificate store in use by fabio, all the other certificates in the store will not be refreshed.
Upon a fresh start of fabio (like a server reboot), this causes no single ssl endpoint to function anymore.
Steps to reproduce
We're running fabio using the
fabiolb/fabio:latest
image from dockerhub on a nomad cluster as system job (running on every worker node).First off, here's the used config loaded into /etc/fabio/fabio.properties within the container from a nomad template:
The certificates are loaded into
/certs
within consul as bundles, so/certs/example.com.pem
contains the full chain including the private key.To replicate the issue, insert a single certificate where the private key does not match the certificate. This will result in fabio not loading any certificates.
Expected result
Fabio to load all valid certificates, and ignore/skips the invalid certificates, allowing domains where valid certificates are available for to continue to function.
Actual result
Fabio refuses to load or update any certificate, causing all services it's loadbalancing to fail upon ssl initialization because it fails to find a valid certificate for the servername indicated by SNI.
The text was updated successfully, but these errors were encountered: