TLS errors into bosh director nats #2
Description
My team been using nats_to_syslog for a long time against nats on older bosh directors... With a new director, it appears that the director requires TLS and so we're trying to play along. The adventure thus far:
- Got
nats: secure connection required errorand so we updated our URL prefix to betls://instead ofnats:// - Then got
x509: certificate signed by unknown authority, resolved by placing the NATS server CA cert on the host running nats_to_syslog - Now seeing
remote error: bad certificate, presumably due to having an IP address in our URL but the cert having CN ofdefault.nats-ca.bosh-internal(and no subject alternative names matching the IP address)
I see that Golang offers a brute force way to allow insecure TLS via InsecureSkipVerify. That is appropriate for our use case (several layers deep within private networks) but not aligned with the "greater good" if we submit a PR back to master.
Some internet sleuthing suggests that Golang offers a way to specify expected server name in cases where reaching TLS server via IP address. Per this on StackOverflow, it seems that we could have the app allow a server name such as default.nats-ca.bosh-internal to be passed in via argument, and then internally it could set tls.Config.ServerName to this value. Or have a "resolve" argument similar to curl --resolve, where one could use the cert-matching name in the URL but provide the desired name-to-IP mapping.
Any advice on how to proceed?
Thanks!