Auto-Config Cert Issuer

I’m using auto-config in my Consul cluster, and my clients are being issued certs from a CA that is not the one we’ve configured.

On a client I run:

sudo cat /var/lib/consul/auto-config.json | jq -r '.Certificate.CertPEM' 
<decode cert>
Issued By: pri-1tt5rvu.consul.ca.e96f5652.consul

The Server cert is:

Common name: server.us-central1-dev.consul
SAN: consul01.c.consul-infra-dev.internal.server.us-central1-dev.consul, server.us-central1-dev.consul, localhost, IP Address:127.0.0.1

The CA is:

* Common Name: Consul SA
* SAN: NA

Where is the CA certificate that’s signing these client certs?

Background:
I discovered this while testing disaster recovery scenarios. After restoring a cluster, I was getting alot of [ERROR] agent.server.rpc: failed to read byte: conn=from=10.248.3.197:40557 error="tls: failed to verify client certificate: x509: certificate signed by unknown authority" errors. I need to backup this cert or somehow make sure it’s still trusted after a restore.

Hi @kornface13, these certificate are being provisioned from the Connect CA, specifically the built-in CA provider since you haven’t configured one of the other CA providers.

The certificate and private key is stored within Consul (the latter of which cannot be exported). This data will be saved in any backups you take using consul snapshot, and will correspondingly be restored into the cluster when the snapshot is restored.

Thats great info. Thanks Blake. I’ll dig more into these individual certificates to see if I can determine why some of the previously registered instances work fine, while others show cert issues after a snapshot restore.