I wanted to try out the auto_encrypt feature of Consul, and I tried the follow config:
{
"datacenter": "hic",
"node_name": "server-01",
"rejoin_after_leave": true,
"domain": "consul",
"advertise_addr": "127.0.0.1",
"server": true,
"bootstrap_expect": 1,
"data_dir": "/Users/jeroenjacobs/consul_test",
"disable_remote_exec": true,
"ports": {
"https": 8501,
"http": 8500
},
"connect": {
"enabled": true
},
"auto_encrypt": {
"allow_tls": true,
"tls": true
},
"verify_outgoing": false,
"verify_incoming": false,
"verify_incoming_rpc": true,
"enable_local_script_checks": true
}
However, This results in an error on startup:
==> Error starting agent: VerifyIncoming set, and no CA certificate provided!
2019/09/24 14:42:49 [INFO] agent: Exit code: 1
I don’t understand this. Unless I’m mistaken, auto_encrypt uses the built-in Consul Connect CA. The CA keypair is therefore managed by Consul itself.
Where am I supposed to get the public CA certificate?
I’m also confused how new clients join the cluster when auto_encrypt is enabled. How do clients get their initial TLS configuration? Does this mean plain HTTP needs to be enabled all the time, so new clients can “tls-bootstrap” themselves? If so, isn’t this a security risk?
I find the documentation very unclear and confusing regarding to auto_encrypt.