ACL required for auto_encrypt

Hello,

I’m working through Learn Consul, and stumbling on combining both full TLS and deny by default ACLs. I have generated a new CA and server certs for my three server nodes by hand, but want to reply on auto-provisioning for any other clients; both the auto_encrypt setting, and to have any new client create it’s own ACL to write to itself. This is using the CA inside Consul for now, no Vault.

If I leave ACLs enabled on the servers, no agent can “upgrade” it’s connection from HTTP to HTTPS using AutoEncrypt:

2020/01/19 18:35:34 [WARN] agent: AutoEncrypt failed: rpcinsecure error making call: Permission denied
2020/01/19 18:35:34 [WARN] agent: AutoEncrypt failed: rpcinsecure error making call: rpcinsecure error making call: Permission denied
2020/01/19 18:35:34 [WARN] agent: AutoEncrypt failed: rpcinsecure error making call: rpcinsecure error making call: Permission denied
2020/01/19 18:35:34 [WARN] agent: retrying AutoEncrypt in 1m1.155019248s

If I disable ACLs on the servers, AutoEncrypt works fine and the client joins the cluster.

To me this indicates some other (global?) ACL is needed to allow a new client to use the AutoEncrypt feature. I can’t find a mention of what that is though.

Server Config and Client Config. Consul v1.6.2.

I’ve found that what’s needed is the new client to have it’s own node ACL set up first:

node "new_client" {
  policy = "write"
}

I was trying to create this ACL when provisioning the consul client using Puppet. I wasn’t able to speak to the local consul daemon to create the ACL because TLS wasn’t coming up, and it wasn’t coming up because the ACL wasn’t in place… Chicken and egg.

It seems I need to pre-provision the ACL for the client first and pass it to the client in the config file.

The documentation mentions the ACL requirement here: https://www.consul.io/docs/agent/options.html#tls. I agree that it is not that obvious.

I did create the policy in the server as you suggested, but I still got the same error. When you say we need to also setup that acl in the client/agent, how exactly do we do that? I’m just starting with consul.

In my setup, I have consul server running and agents as well, all in a kubernetes cluster, using the hashicorp official helm chart for consul. But now I am trying to install the agent/client in a separate vm to sync with that kuebernetes cluster. They can talk to each other but the command to start agent fails with that message:

[WARN] agent: AutoEncrypt failed: rpcinsecure error making call: rpcinsecure error making call: Permission denied

What should I do on this client side?

Did you ever resolve this ? I have same issue with same env, k8s works fine, external vm with client gets this error.

Hi @deeco,

Welcome to the Forums!

The following steps will help you solve this issue.

  1. Create an ACL Policy with node_prefix:write

    # file: vm-agents-policy.hcl
    node_prefix "" {
         policy = "write"
    }
    service_prefix "" {
        policy = "read"
    }
    
    $ consul acl policy create -name vm-agents-policy -description 'Agent policy for VMs' -rules @vm-agents-policy.hcl
    

    NOTE: You can use, node <node_name> { policy = "write" } instead of node_prefix above if you know the node name in advance and if you intend to use separate token per Consul VM agent.

  2. Create a token based on the above policy

    $ consul acl token create -description "Token for VM Agents" -policy-name vm-agents-policy
    
  3. Update the client ACL configuration by adding the above agent token and restart the Consul service.

    acl {
        ... your existing configurations
        tokens {
            agent = "<token from the above command">
        }
    }
    
    # If you are managing Consul under systemd
    $ sudo systemctl restart consul
    

Please let me know if this works for you.