Consul deprecation warning for tls config - new keys not working

lethargosapatheia · May 5, 2022, 11:48am

Hello,

I’m using consul 1.12.0-1 on Ubuntu 20.04.
I’m using various config directives to configure tls: ca_file, cert_file, key_file etc. When starting consul I get a warning that all these are depracted:

May 05 14:34:37 consul-1 consul[1184]: 2022-05-05T14:34:37.991+0300 [WARN]  agent: The 'ca_file' field is deprecated. Use the 'tls.defaults.ca_file' field instead.
May 05 14:34:37 consul-1 consul[1184]: 2022-05-05T14:34:37.991+0300 [WARN]  agent: The 'cert_file' field is deprecated. Use the 'tls.defaults.cert_file' field instead.
May 05 14:34:37 consul-1 consul[1184]: 2022-05-05T14:34:37.991+0300 [WARN]  agent: The 'key_file' field is deprecated. Use the 'tls.defaults.key_file' field instead.
May 05 14:34:37 consul-1 consul[1184]: 2022-05-05T14:34:37.991+0300 [WARN]  agent: The 'verify_incoming' field is deprecated. Use the 'tls.defaults.verify_incoming' field instead.
May 05 14:34:37 consul-1 consul[1184]: 2022-05-05T14:34:37.991+0300 [WARN]  agent: The 'verify_outgoing' field is deprecated. Use the 'tls.defaults.verify_outgoing' field instead.
May 05 14:34:37 consul-1 consul[1184]: 2022-05-05T14:34:37.991+0300 [WARN]  agent: The 'verify_server_hostname' field is deprecated. Use the 'tls.internal_rpc.verify_server_hostname' field instead.

So I changed all the directives to the specified one, but then I get an error from consul, telling me that it doesn’t recognize the new directives. This is the config:

tls.defaults.verify_incoming = false
tls.defaults.verify_outgoing = true
tls.internal_rpc.verify_server_hostname = true

tls.defaults.ca_file = "/etc/consul.d/certs/comp.internal-agent-ca.pem"
tls.defaults.cert_file = "/etc/consul.d/certs/comp-dc-1-server-comp.internal-0.pem"
tls.defaults.key_file =  "/etc/consul.d/certs/comp-dc-1-server-comp.internal-0-key.pem"

And this is the error message:

May 05 14:39:26 consul-0 consul[13230]: ==> failed to parse /etc/consul.d/consul.hcl: 6 errors occurred:
May 05 14:39:26 consul-0 consul[13230]:         * invalid config key tls.defaults.key_file
May 05 14:39:26 consul-0 consul[13230]:         * invalid config key tls.internal_rpc.verify_server_hostname
May 05 14:39:26 consul-0 consul[13230]:         * invalid config key tls.defaults.verify_outgoing
May 05 14:39:26 consul-0 consul[13230]:         * invalid config key tls.defaults.ca_file
May 05 14:39:26 consul-0 consul[13230]:         * invalid config key tls.defaults.verify_incoming
May 05 14:39:26 consul-0 consul[13230]:         * invalid config key tls.defaults.cert_file

Any ideas what I’m doing wrong?

maxb · May 5, 2022, 12:41pm

The dot-separated expressions are not intended to be written in the configuration file directly as is - rather, they are shorthand for configuration in nested blocks:

tls {
  defaults {
    verify_incoming = false
  }
}

lethargosapatheia · May 5, 2022, 12:57pm

Thank you. It works