Consul TLS + Nomad sidecar (envoy) proxy needs full CA chain (intermediate/root)


We have enabled Consul TLS and have noticed that Consul and Nomad agents do not need the full CA chain to communicate with each other. Unfortunately it looks as if Nomad Sidecars (Envoy) do. Envoy is bootstrapped to need the full CA chain provided otherwise it will fail to connect (“tls: unknown certificate authority”).

We are using Vault to generate certificates and have implemented an intermediate CA following Build Your Own Certificate Authority (CA) | Vault - HashiCorp Learn but we are looking into using an offline root CA instead in the near future (Build Certificate Authority (CA) in Vault with an offline Root | Vault - HashiCorp Learn).

We rather not having to append the root certificate to the intermediate ones. Is there any other way we can get Nomad sidecars to successfully contact Consul with TLS enabled?