Consul created cert file name format different than documentation

When I create TLS certs using the consul command, the resultant file name does not follow the format in the documentation: https://www.consul.io/docs/commands/tls/cert.html


It seems like the component order is reversed. Instead of consul-server-<dcX>, it uses <dcX>-server-consul.

Is this a bug in the code, or bug in the documentation?

root@infra-terraformer:~/consul# consul tls ca create
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
root@infra-terraformer:~/consul# consul tls cert create -server
==> WARNING: Server Certificates grants authority to become a
    server and access all state in the cluster including root keys
    and all ACL tokens. Do not distribute them to production hosts
    that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem

I can confirm this

╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1› 
╰─➤  consul tls ca create  
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1› 
╰─➤  consul tls cert create -server
==> WARNING: Server Certificates grants authority to become a
    server and access all state in the cluster including root keys
    and all ACL tokens. Do not distribute them to production hosts
    that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem

Readme on github seems to be up2date: https://github.com/hashicorp/consul/blob/master/website/source/docs/guides/creating-certificates.html.md#creating-certificates

[...]
Step 2: Create individual Server Certificates
Create a server certificate for datacenter dc1 and domain consul, if your datacenter or domain is different please use the appropriate flags:

$ consul tls cert create -server
==> WARNING: Server Certificates grants authority to become a
    server and access all state in the cluster including root keys
    and all ACL tokens. Do not distribute them to production hosts
    that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem

Documentation seems to be outdated. :wink:

Thank you for reporting! I created a PR for that: https://github.com/hashicorp/consul/pull/7453.

1 Like