Confused about auto_encrypt

I wanted to try out the auto_encrypt feature of Consul, and I tried the follow config:

  "datacenter": "hic",
  "node_name": "server-01",
  "rejoin_after_leave": true,
  "domain": "consul",
  "advertise_addr": "",
  "server": true,
  "bootstrap_expect": 1,
  "data_dir": "/Users/jeroenjacobs/consul_test",
  "disable_remote_exec": true,

  "ports": {
    "https": 8501,
    "http": 8500

  "connect": {
    "enabled": true

  "auto_encrypt": {
    "allow_tls": true,
    "tls": true
  "verify_outgoing": false,
  "verify_incoming": false,
  "verify_incoming_rpc": true,
  "enable_local_script_checks": true

However, This results in an error on startup:

==> Error starting agent: VerifyIncoming set, and no CA certificate provided!
    2019/09/24 14:42:49 [INFO] agent: Exit code: 1

I don’t understand this. Unless I’m mistaken, auto_encrypt uses the built-in Consul Connect CA. The CA keypair is therefore managed by Consul itself.

Where am I supposed to get the public CA certificate?

I’m also confused how new clients join the cluster when auto_encrypt is enabled. How do clients get their initial TLS configuration? Does this mean plain HTTP needs to be enabled all the time, so new clients can “tls-bootstrap” themselves? If so, isn’t this a security risk?

I find the documentation very unclear and confusing regarding to auto_encrypt.


thanks for reaching out! I think the major confusion comes from a simple misunderstanding: right now auto_encrypt can only bootstrap TLS for Consul clients. You are booting a Consul server, which still needs manual TLS setup.

Does that help? Thanks,