ACL required for auto_encrypt

Hello,

I’m working through Learn Consul, and stumbling on combining both full TLS and deny by default ACLs. I have generated a new CA and server certs for my three server nodes by hand, but want to reply on auto-provisioning for any other clients; both the auto_encrypt setting, and to have any new client create it’s own ACL to write to itself. This is using the CA inside Consul for now, no Vault.

If I leave ACLs enabled on the servers, no agent can “upgrade” it’s connection from HTTP to HTTPS using AutoEncrypt:

2020/01/19 18:35:34 [WARN] agent: AutoEncrypt failed: rpcinsecure error making call: Permission denied
2020/01/19 18:35:34 [WARN] agent: AutoEncrypt failed: rpcinsecure error making call: rpcinsecure error making call: Permission denied
2020/01/19 18:35:34 [WARN] agent: AutoEncrypt failed: rpcinsecure error making call: rpcinsecure error making call: Permission denied
2020/01/19 18:35:34 [WARN] agent: retrying AutoEncrypt in 1m1.155019248s

If I disable ACLs on the servers, AutoEncrypt works fine and the client joins the cluster.

To me this indicates some other (global?) ACL is needed to allow a new client to use the AutoEncrypt feature. I can’t find a mention of what that is though.

Server Config and Client Config. Consul v1.6.2.

I’ve found that what’s needed is the new client to have it’s own node ACL set up first:

node "new_client" {
  policy = "write"
}

I was trying to create this ACL when provisioning the consul client using Puppet. I wasn’t able to speak to the local consul daemon to create the ACL because TLS wasn’t coming up, and it wasn’t coming up because the ACL wasn’t in place… Chicken and egg.

It seems I need to pre-provision the ACL for the client first and pass it to the client in the config file.

The documentation mentions the ACL requirement here: https://www.consul.io/docs/agent/options.html#tls. I agree that it is not that obvious.