Consul Certification

dimitar.manev · November 25, 2021, 12:33pm

Hello everyone. I need help by certification. I have 3 Servers and 1 Client and on the Server side i become the following error:
"agent.server.rpc: failed to read byte: conn=from= error="remote error: tls: bad certificate"

Server Config :
{
“server”: true,
“bootstrap_expect” : 3,
“data_dir”: “”,
“client_addr” :“0.0.0.0”,
“datacenter”: “dc2”,
“ui”: true,
“ports” : {
“https” : 8501,
“http” : -1
},
“addresses”: {
“http”: “0.0.0.0”
},
“verify_incoming”: false,
“verify_outgoing”: true,
“verify_server_hostname”: true,
“ca_file”: “_local.pem”,
“cert_file”: “_local.pem”,
“key_file”: “.local.key”,
“auto_encrypt”: {
“allow_tls”: true
},
“log_level”: “INFO”,
“disable_update_check”: true,
“disable_anonymous_signature”: true
}

Client Config:

{
“server”: false,
“data_dir”: “”,
“ui”: true,
“retry_join”: ["…", “…”, “…”],
“bind_addr”:“IpAddress (example)”,
“datacenter”: “dc2”,
“log_level”: “INFO”,
“ports”: {
“http” : -1,
“https” : 8501
},
“auto_encrypt” :{
“tls” : true
},
“disable_update_check”: true,
“disable_anonymous_signature”: true,
“verify_outgoing”: true,
“verify_incoming”: false,
“verify_server_hostname”: true,
“ca_file”: “_local.pem”
}

What can i do to secure the consul cluster ? After using a https i cannot join members in cluster?

Best regards

aram · November 25, 2021, 1:24pm

You may want to start off by switching to HCL2, json has been deprecated. Also if you use the 3 backticks your code (there is a <> in the editor as well) is formatted properly so it’s readable to others.

My suggestion is to backup and create a clean install, then add the gossip encryption, then enable tls after. Trying to jump to the end with all of it is probably more confusing.

Just noticed, you don’t have an encryption key in your config too, that’s a required field for gossip encryption which you have turned on (half way: if you’re going to use encryption why not have it for both incoming/outgoing?).

dimitar.manev · November 25, 2021, 3:14pm

Can you please copy my configuration and adjusting it . Tnx I am new sorry

karl-cardenas-coding · November 29, 2021, 8:59pm

@aram JSON is not deprecated and is a valid option for specifying configurations.

karl-cardenas-coding · November 29, 2021, 9:01pm

@dimitar.manev How did you create the certificates? We have a Learn tutorial that walks you how to create certificates for Consul.

dimitar.manev · December 1, 2021, 9:46am

Hi Karl . We have our CA Certificates and they work … but now i have a problem. I have gossip encryption , i have a acl enabling and i have certificates… now i can not join the cluster
ERROR: Error joining address "’: Unexpected response code: 403 (Permission denied)

karl-cardenas-coding · December 1, 2021, 3:21pm

What permissions does this ACL token have ?

dimitar.manev · December 1, 2021, 3:23pm

the basic permissions from Consul example . i’ve just made “consul acl bootstrap” and i have acl’s enabled…

karl-cardenas-coding · December 1, 2021, 3:26pm

So when you say it cannot join the cluster, is that referring to the servers or a client ? The other question I have is, did you set the token value to the agent consul acl set-agent-token agent <TokenValueHere>

Topic		Replies	Views
TLS handshake failure Consul	6	2402	December 21, 2020
I setup consul agent server cluster ,but setup agent client to connect to server fail Consul	1	473	December 14, 2022
Consul Client join consul servers cluster \| certificate error Consul consul	2	631	August 2, 2022
Agent: error getting server health from server: Consul	6	1301	July 23, 2022
Consul: invalid certificate, certificate is not valid for server.dc1.consul.hello.com Consul	3	388	February 9, 2024

Consul Certification

Related topics