Consul (ssl, with Vault CA) + Nomad (tls): Envoy proxies returns "tls: unknown certificate authority"

efbar · July 27, 2020, 10:39pm

thank you (everyone) all for the help and the call too!

We proceed to try something, and we did like this, just for testing:

we bootstrapped the cluster without connect enabled as you advise, and then enable it once we had all the vault certificates, this allow to see that /v1/connect/ca/configuration returned the Vault one while before was the one created by consul.
now we can see another intermediate “leaf-cert” in Vault
deploying the job they (the proxies) still don’t work, but appending the “new” ca roots certificate to the old one (so, one file with two certificates), restarting nomad and redeploying the nomad job we finally see the proxies working!

This method is not rock solid, we will try to follow the way you told us for the resolution, so different certs for different purposes.

I’ll keep you updated regarding this process.

Thank you

Francesco

Topic		Replies	Views
Consul TLS with Nomad sidecar (envoy) proxy needs full CA chain (intermediate/root) Consul connect , consul-nomad	0	499	February 22, 2022
Theory of operation question: Consul Template behavior when generating certificates with the Vault PKI API Consul consul-template , vault , consul	7	583	May 20, 2024
TLS server issues (Consul-k8s, vault secrets backend) Consul k8s , vault	3	692	May 25, 2022
Consul TLS + Nomad sidecar (envoy) proxy needs full CA chain (intermediate/root) Nomad	0	370	February 17, 2022
Helm Installed Vault with Consul Backend with Auto Encrypt and TLS Enabled using Consul Client Consul	5	718	April 12, 2022