Connect with auto-encrypt results in "no PEM-encoded data found"

mariusehr1 · November 3, 2020, 10:45am

Hi,

I have an issue regarding connectivity in my secondary datacenter : the agent and servers are configured to use auto_encrypt. I’m also using Vault as a CA provider.

When registering my consul agent I get the following :

[ERROR] agent.auto_config: AutoEncrypt.Sign RPC failed: addr=172.16.64.10:8300 error="rpcinsecure error making call: error parsing CA cert: no PEM-encoded data found"

Here are the configuration for both my server and agent :

Server :

data_dir = "/tmp/"
log_level = "TRACE"

datacenter = "dc2"
primary_datacenter = "aws"

server = true
bootstrap_expect = 1


bind_addr = "0.0.0.0"
client_addr = "0.0.0.0"
node_name = "consul-primary-dc2"


ports {
  grpc = 8502
  https = 8501
  http = -1
}
primary_gateways = ["IP OF MY PRIMARY GATEWAY:9443"]

connect {
    enabled = true
    enable_mesh_gateway_wan_federation = true
}
acl {
  enabled = true
  default_policy = "deny"
  down_policy = "extend-cache"
  enable_token_persistence = true
  enable_token_replication = true
}
encrypt = "REDACTED BUT IS THE SAME EVERYWHERE"

ui = true
enable_central_service_config = true

advertise_addr = "172.16.64.10"
verify_incoming = false
verify_outgoing= false
verify_server_hostname = false
ca_file = "/tls/aws-ca.pem"
cert_file = "/tls/aws-dc2.crt.pem"
key_file = "/tls/aws-dc2.key.pem"
auto_encrypt = {
    allow_tls = true
}

Agent :

data_dir = "/tmp/"
log_level = "TRACE"


datacenter = "dc2"
primary_datacenter = "aws"

server = false

node_name = "consul-agent-payments1"


bind_addr = "0.0.0.0"
client_addr = "0.0.0.0"

ports {
  grpc = 8502
  https = 8501
  http = -1
}
connect {
    enabled = true
}
acl = {
  enabled = true
  default_policy = "deny"
  down_policy = "extend-cache"
  enable_token_persistence = true
  enable_token_replication = true
  tokens {
        agent = "REPLICATION TOKEN"
  }
}
encrypt = "REDACTED BUT IS THE SAME EVERYWHERE"

advertise_addr = "172.16.64.11"
verify_incoming = false
verify_outgoing= true
verify_server_hostname = true

ca_file = "/tls/aws-ca.pem"
auto_encrypt = {
    tls = true
}
retry_join=["172.16.64.10"]

I would be happy to provide more information if needed.

Thanks for your help as always.

Marius