Access consul web interface with verify_incoming = true

If I understand correctly, verify_incoming means that consul is going to check the client-side tls certificate of an incoming connection. If I set this to “true”, I can still connect to the database and see all policies etc. from all the three nodes of the cluster.

On the other hand, if I want to connect to the web interface over https (port 8501), consul refuses to display anything, I’m guessing because it expects a client-side certificate. How do you go about solving this issue? Are you expected to install a client-side certificate on your local computer that consul accepts or am I misinterpreting something?

Hi @lethargosapatheia,

Setting verify_incoming = true configures Consul to require TLS client certificates for connections received on both the RPC port and HTTPS API. In order to allow HTTPS clients to access the API without providing a certificate, you will need to set verify_incoming = false.

You may set verify_incoming_rpc = true to re-enable mTLS for RPC traffic.

Step 2, option 2 of the following tutorial will walk you through this configuration change.

Secure Consul Agent Communication with Encryption and Certificates: Configure the Consul UI for HTTPS

1 Like

I was able to fix this via these instructions

I did not have to set false to any of the verify_incoming settings
nor did I have to disable dns over https in firefox

I use cfssl to create the cert files, and this is the copypasta I use:

openssl pkcs12 -export -in client-0.pem -inkey client-0-key.pem -out client-0.p12

I then installed the .p12 certificate in firefox

for more information on how i automated the process check these docs