Agent: error getting server health from server:

Hi team

we are trying to enable https for our consul server , we are using 3 vm’s we have created certificate for 3vm’s with server.dc1.consul as a SAN names getting below error while starting the service

error=“rpc error getting client: failed to get conn: x509: certificate is valid for not server.dc1.consul”

Hi team

We are getting above error while creating cert, please help

Hi @midhunkonduru,

I recommend following the below learn guide to set up TLS for your Consul cluster.

ref: Secure Consul Agent Communication with TLS Encryption | Consul - HashiCorp Learn

Are you using consul tls utility to create certificates or a different CA? Could you share the output of openssl x509 -text -noout -in <your cerf file> to see whether the cert is created correctly or not.

Hi Ranjandas -

We’re using our own CA

please find below.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3950248586654000806 (0x36d21a29060026a6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=MyCompany Corporate Authentication CA 1, OU=Certification Authority, O=MyCompany Inc., C=US
        Validity
            Not Before: Jul 19 23:49:57 2022 GMT
            Not After : Aug 17 23:49:56 2024 GMT
        Subject: UID=identity:idms.group.1234769, CN=server.dc1.consul, OU=management:idms.group.1234769, O=MyCompany Inc., DC=Certificate Manager
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:0e:8b:f9:1c:19:96:d3:f6:49:02:bd:f7:a8:
                    32:bc:c0:fe:ab:35:61:d3:f5:ca:5e:92:7f:46:d0:
                    5b:5c:92:3e:51:b7:e4:6f:b4:9d:44:46:47:e0:68:
                    0b:e7:6b:dc:32:2a:89:22:ef:ba:5f:85:a4:14:df:
                    1a:40:ca:ce:45:19:1c:40:de:eb:9f:50:67:c0:c5:
                    6c:52:1c:d0:39:88:1e:2f:5a:48:51:20:19:c2:37:
                    71:1c:98:ba:c4:8b:44:bf:32:75:4b:d8:80:e4:4f:
                    d9:1d:dc:a9:3a:41:2c:ea:8a:ad:93:cf:f1:38:97:
                    9e:13:d4:a6:1a:b4:f0:d5:87:af:6d:e9:cc:55:1d:
                    5c:9e:6f:d4:b5:9c:04:0f:7d:50:77:3a:14:c2:af:
                    20:f3:3e:6c:02:95:c2:76:66:4f:f0:1c:d8:a1:67:
                    ac:0c:ba:25:9d:d0:c3:a5:4d:ea:b9:a7:ef:64:48:
                    da:8a:b8:db:e9:3c:40:67:19:83:69:6c:91:d8:69:
                    2f:00:c7:ad:9a:3d:40:32:ad:56:6a:ce:54:9a:41:
                    71:d6:e9:43:87:2b:8c:4b:42:d2:a1:b9:24:6e:8c:
                    06:13:05:69:ec:26:5a:00:b3:d5:df:23:ef:f2:9f:
                    09:97:45:47:10:14:ee:a2:e4:e1:83:e2:98:a4:4c:
                    d3:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:16:20:71:2F:3F:7F:73:F3:E1:7A:BB:EC:49:7F:57:94:ED:93:B1:9F

            Authority Information Access: 
                CA Issuers - URI:http://certs.MyCompany.com/corpauthca1.der
                OCSP - URI:http://ocsp.MyCompany.com/ocsp03-corpauth109

            X509v3 Subject Alternative Name: 
                DNS:rn2-foobar-lapp60.rno.MyCompany.com, DNS:server.dc1.consul, DNS:rn2-foobar-lapp116.rno.MyCompany.com, DNS:rn2-foobar-lapp49.rno.MyCompany.com, DNS:rn2-foobar-lapp115.rno.MyCompany.com
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.MyCompany.com/corpauthca1.crl

            X509v3 Subject Key Identifier: 
                D6:7B:A0:89:5D:06:09:EB:2C:4D:D6:05:47:B3:31:B3:C1:0C:46:E0
            X509v3 Key Usage: critical
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         6f:91:2a:fa:5f:4b:f0:a1:6d:7c:2a:5f:d6:f5:31:01:76:c5:
         07:fe:cd:6c:fd:10:7a:51:8d:db:56:c3:39:39:b9:2b:13:ef:
         e5:f2:5b:af:c5:3e:c3:bb:8a:52:79:76:af:ec:b5:d5:02:e0:
         42:31:52:f6:ff:4b:bc:34:c0:bd:8b:7a:bc:47:c5:55:56:0a:
         68:06:18:89:01:a5:d7:a1:0c:2a:8c:0f:2a:08:d6:36:65:fd:
         e4:3a:c7:e6:1f:ce:61:4b:73:83:ed:8c:ac:11:e4:4b:b7:74:
         68:bd:33:e0:6e:dc:a3:f2:5a:ed:33:a4:82:13:6e:61:af:1d:
         cf:01:e7:56:a5:d5:ed:e0:d3:df:c2:0b:0a:86:b5:04:3e:1c:
         96:73:04:94:f5:08:b2:38:a8:bd:40:15:2b:58:74:e3:12:be:
         17:f5:d7:f7:fb:e7:ba:f9:0c:55:a8:db:80:fa:55:24:7f:32:
         f0:f4:8f:b1:4c:48:6d:fc:35:47:a7:28:1a:b1:9f:0b:5e:a8:
         43:4f:8b:79:67:1b:1c:dd:ac:88:11:01:ae:eb:31:82:01:42:
         17:b6:48:e8:7d:28:c6:dc:38:22:55:4b:02:14:c7:8f:7b:f3:
         5b:b0:6c:78:c3:35:d8:23:52:da:78:17:7b:92:a7:2d:38:3c:
         1f:d4:d7:6b
-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgIINtIaKQYAJqYwDQYJKoZIhvcNAQELBQAwcjEsMCoGA1UE
AwwjQXBwbGUgQ29ycG9yYXRlIEF1dGhlbnRpY2F0aW9uIENBIDExIDAeBgNVBAsM
F0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQsw
CQYDVQQGEwJVUzAeFw0yMjA3MTkyMzQ5NTdaFw0yNDA4MTcyMzQ5NTZaMIGrMSsw
KQYKCZImiZPyLGQBAQwbaWRlbnRpdHk6aWRtcy5ncm91cC4xMjM0NzY5MRowGAYD
VQQDDBFzZXJ2ZXIuZGMxLmNvbnN1bDEmMCQGA1UECwwdbWFuYWdlbWVudDppZG1z
Lmdyb3VwLjEyMzQ3NjkxEzARBgNVBAoMCkFwcGxlIEluYy4xIzAhBgoJkiaJk/Is
ZAEZFhNDZXJ0aWZpY2F0ZSBNYW5hZ2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxQ6L+RwZltP2SQK996gyvMD+qzVh0/XKXpJ/RtBbXJI+Ubfkb7Sd
REZH4GgL52vcMiqJIu+6X4WkFN8aQMrORRkcQN7rn1BnwMVsUhzQOYgeL1pIUSAZ
wjdxHJi6xItEvzJ1S9iA5E/ZHdypOkEs6oqtk8/xOJeeE9SmGrTw1YevbenMVR1c
nm/UtZwED31QdzoUwq8g8z5sApXCdmZP8BzYoWesDLolndDDpU3quafvZEjairjb
6TxAZxmDaWyR2GkvAMetmj1AMq1Was5UmkFx1ulDhyuMS0LSobkkbowGEwVp7CZa
ALPV3yPv8p8Jl0VHEBTuouThg+KYpEzTvQIDAQABo4IB0zCCAc8wDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBQWIHEvP39z8+F6u+xJf1eU7ZOxnzB4BggrBgEFBQcB
AQRsMGowMgYIKwYBBQUHMAKGJmh0dHA6Ly9jZXJ0cy5hcHBsZS5jb20vY29ycGF1
dGhjYTEuZGVyMDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5hcHBsZS5jb20vb2Nz
cDAzLWNvcnBhdXRoMTA5MIGoBgNVHREEgaAwgZ2CIHJuMi1jc2Nhc2V0LWxhcHA2
MC5ybm8uYXBwbGUuY29tghFzZXJ2ZXIuZGMxLmNvbnN1bIIhcm4yLWNzY2FzZXQt
bGFwcDExNi5ybm8uYXBwbGUuY29tgiBybjItY3NjYXNldC1sYXBwNDkucm5vLmFw
cGxlLmNvbYIhcm4yLWNzY2FzZXQtbGFwcDExNS5ybm8uYXBwbGUuY29tMBMGA1Ud
JQQMMAoGCCsGAQUFBwMCMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwuYXBw
bGUuY29tL2NvcnBhdXRoY2ExLmNybDAdBgNVHQ4EFgQU1nugiV0GCessTdYFR7Mx
s8EMRuAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBvkSr6X0vw
oW18Kl/W9TEBdsUH/s1s/RB6UY3bVsM5ObkrE+/l8luvxT7Du4pSeXav7LXVAuBC
MVL2/0u8NMC9i3q8R8VVVgpoBhiJAaXXoQwqjA8qCNY2Zf3kOsfmH85hS3OD7Yys
EeRLt3RovTPgbtyj8lrtM6SCE25hrx3PAedWpdXt4NPfwgsKhrUEPhyWcwSU9Qiy
OKi9QBUrWHTjEr4X9df3++e6+QxVqNuA+lUkfzLw9I+xTEht/DVHpygasZ8LXqhD
T4t5Zxsc3ayIEQGu6zGCAUIXtkjofSjG3DgiVUsCFMePe/NbsGx4wzXYI1LaeBd7
kqctODwf1Ndr
-----END CERTIFICATE-----```

Hi @durgadeep,

From the certificate, it looks like you have server.dc1.consul in SAN, and I don’t expect to see the error that @midhunkonduru posted. Could you verify again?

However, I can see that you only have TLS Web Client Authentication for the Extended Key Usage, which would give you errors similar to what is mentioned in this post (Consul Client join consul servers cluster | certificate error - #2 by maxb)

@Ranjandas - thanks for your prompt responses. Our CA (MyCompany.com) doesn’t allow this CN=server.dc1.consul - is there a way wer can make changes in the Consul - to use server.dc1.consul.mycompany.com ?

That way this certs are honored by our Certificate authority.

@durgadeep, server.dc1.consul need not be in CN; having it in SAN is enough. Are you still getting the error that says the certificate is invalid for server.dc1.consul? Did you restart the agents after installing the certificates? Sharing the recent logs would help to understand your current situation better.

You could also try setting verify_server_hostname=false (only for testing, this is recommended to be true in production) and reload the agents to see whether the cert is ok from other aspects.

ref: Consul Agent Configuration Reference | Consul by HashiCorp