Hello,
I am trying to setup a brand new vault cluster(v1.4) and consul cluster(v1.8.0) with consul connect and Vault as a CA.
I see that when i bootstrap the consul cluster with Vault as a CA and start my connect enabled application … I see that when a connect enabled client app tries to communicate to the upstream connect enabled service … it gives following error:
[ERROR] proxy.upstream: failed to dial: error="x509: certificate has expired or is not yet valid"
I tried generating a certificate manually for a test application from the leaf role of the intermediate pki endpoint … and the certificate generates successfully with TTLs.
{
“SerialNumber”: “<serial_number>”,
“CertPEM”: “-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n \n-----END CERTIFICATE-----",
“PrivateKeyPEM”: "-----BEGIN EC PRIVATE KEY----- PRIVATE KEY-----\n”,
“Service”: “test”,
“ServiceURI”: “spiffe://.consul/ns/default/dc/dc1/svc/test”,
“ValidAfter”: “2020-08-12T02:03:30Z”,
“ValidBefore”: “2020-08-15T02:04:00Z”,
“CreateIndex”: 11,
“ModifyIndex”: 11
}
But when the connect proxies communicate they produce the above error as mentioned.
What can be the issue ?
I am running all these in a test environment… so everything is from scratch…
Any help is appreciated.
Regards,
Ashwin