Consul Certification

dimitar.manev · November 25, 2021, 12:33pm

Hello everyone. I need help by certification. I have 3 Servers and 1 Client and on the Server side i become the following error:
"agent.server.rpc: failed to read byte: conn=from= error="remote error: tls: bad certificate"

Server Config :
{
“server”: true,
“bootstrap_expect” : 3,
“data_dir”: “”,
“client_addr” :“0.0.0.0”,
“datacenter”: “dc2”,
“ui”: true,
“ports” : {
“https” : 8501,
“http” : -1
},
“addresses”: {
“http”: “0.0.0.0”
},
“verify_incoming”: false,
“verify_outgoing”: true,
“verify_server_hostname”: true,
“ca_file”: “_local.pem”,
“cert_file”: “_local.pem”,
“key_file”: “.local.key”,
“auto_encrypt”: {
“allow_tls”: true
},
“log_level”: “INFO”,
“disable_update_check”: true,
“disable_anonymous_signature”: true
}

Client Config:

{
“server”: false,
“data_dir”: “”,
“ui”: true,
“retry_join”: ["…", “…”, “…”],
“bind_addr”:“IpAddress (example)”,
“datacenter”: “dc2”,
“log_level”: “INFO”,
“ports”: {
“http” : -1,
“https” : 8501
},
“auto_encrypt” :{
“tls” : true
},
“disable_update_check”: true,
“disable_anonymous_signature”: true,
“verify_outgoing”: true,
“verify_incoming”: false,
“verify_server_hostname”: true,
“ca_file”: “_local.pem”
}

What can i do to secure the consul cluster ? After using a https i cannot join members in cluster?

Best regards

aram · November 25, 2021, 1:24pm

You may want to start off by switching to HCL2, json has been deprecated. Also if you use the 3 backticks your code (there is a <> in the editor as well) is formatted properly so it’s readable to others.

My suggestion is to backup and create a clean install, then add the gossip encryption, then enable tls after. Trying to jump to the end with all of it is probably more confusing.

Just noticed, you don’t have an encryption key in your config too, that’s a required field for gossip encryption which you have turned on (half way: if you’re going to use encryption why not have it for both incoming/outgoing?).

dimitar.manev · November 25, 2021, 3:14pm

Can you please copy my configuration and adjusting it . Tnx I am new sorry

karl-cardenas-coding · November 29, 2021, 8:59pm

@aram JSON is not deprecated and is a valid option for specifying configurations.

karl-cardenas-coding · November 29, 2021, 9:01pm

@dimitar.manev How did you create the certificates? We have a Learn tutorial that walks you how to create certificates for Consul.

dimitar.manev · December 1, 2021, 9:46am

Hi Karl . We have our CA Certificates and they work … but now i have a problem. I have gossip encryption , i have a acl enabling and i have certificates… now i can not join the cluster
ERROR: Error joining address "’: Unexpected response code: 403 (Permission denied)

karl-cardenas-coding · December 1, 2021, 3:21pm

What permissions does this ACL token have ?

dimitar.manev · December 1, 2021, 3:23pm

the basic permissions from Consul example . i’ve just made “consul acl bootstrap” and i have acl’s enabled…

karl-cardenas-coding · December 1, 2021, 3:26pm

So when you say it cannot join the cluster, is that referring to the servers or a client ? The other question I have is, did you set the token value to the agent consul acl set-agent-token agent <TokenValueHere>