Confused about auto_encrypt

I wanted to try out the auto_encrypt feature of Consul, and I tried the follow config:

{
  "datacenter": "hic",
  "node_name": "server-01",
  "rejoin_after_leave": true,
  "domain": "consul",
  "advertise_addr": "127.0.0.1",
  "server": true,
  "bootstrap_expect": 1,
  "data_dir": "/Users/jeroenjacobs/consul_test",
  "disable_remote_exec": true,

  "ports": {
    "https": 8501,
    "http": 8500
  },

  "connect": {
    "enabled": true
  },

  "auto_encrypt": {
    "allow_tls": true,
    "tls": true
  },
  "verify_outgoing": false,
  "verify_incoming": false,
  "verify_incoming_rpc": true,
  "enable_local_script_checks": true
}

However, This results in an error on startup:

==> Error starting agent: VerifyIncoming set, and no CA certificate provided!
    2019/09/24 14:42:49 [INFO] agent: Exit code: 1

I don’t understand this. Unless I’m mistaken, auto_encrypt uses the built-in Consul Connect CA. The CA keypair is therefore managed by Consul itself.

Where am I supposed to get the public CA certificate?

I’m also confused how new clients join the cluster when auto_encrypt is enabled. How do clients get their initial TLS configuration? Does this mean plain HTTP needs to be enabled all the time, so new clients can “tls-bootstrap” themselves? If so, isn’t this a security risk?

I find the documentation very unclear and confusing regarding to auto_encrypt.