@blake
I am following up as I was able to overcome my issue.
In Vault’s configuration, I changed all hostnames to IP addresses:
ui = true
cluster_addr = "https://192.168.100.10:8201"
api_addr = "https://192.168.100.10:8200"
disable_mlock = true
storage "raft" {
path = "/opt/vault/data"
retry_join {
leader_tls_servername = "192.168.100.11"
leader_api_addr = "https://192.168.100.11:8200"
leader_ca_cert_file = "/etc/step/certs/root_ca.crt"
leader_client_cert_file = "/etc/step/certs/vault/vault.crt"
leader_client_key_file = "/etc/step/certs/vault/vault.key"
}
retry_join {
leader_tls_servername = "192.168.100.12"
leader_api_addr = "https://192.168.100.12:8200"
leader_ca_cert_file = "/etc/step/certs/root_ca.crt"
leader_client_cert_file = "/etc/step/certs/vault/vault.crt"
leader_client_key_file = "/etc/step/certs/vault/vault.key"
}
}
listener "tcp" {
address = ":8200"
tls_cert_file = "/etc/step/certs/vault/vault.crt"
tls_key_file = "/etc/step/certs/vault/vault.key"
tls_client_ca_file = "/etc/step/certs/root_ca.crt"
}
service_registration "consul" {
address = "http://127.0.0.1:8500"
}
telemetry {
disable_hostname = true
prometheus_retention_time = "30s"
}
And now DNS queries against vault.service.consul and vault.my-fqdn are working correctly now:
dig @192.168.100.10 -p 8600 vault.service.consul +short
192.168.100.10
192.168.100.12
192.168.100.11