Consul UI TLS trust root CA from client browser

Currently have a TLS setup with the recommended local, private CA. And using Vault to manage a Intermediate CA signed by this root CA. Consul is then issued a certificate and key from the Vault intermediate CA.
However when accessing the UI on the browser, the certificate is untrusted, even with the root CA trusted.
I think this is to do with consul not sending the intermediate CA during the SSL handshake?

Hi @Penacillin,

This sounds related to ca: Support using an external CA as the Trusted CA · Issue #11598 · hashicorp/consul · GitHub which is currently being worked on.

I recommend upvoting the issue to indicate your interest and subscribing to it so that you can receive updates on its progress. Feel free to leave comment on the issue with additional information on your use case or requirements if you do not feel they are fully reflected in the issue description.

Hi @blake. I’m (pretty sure I’m) getting this same issue.

I have a certificate for Consul that’s signed by an intermediate certificate. If I include the root/intermediate bundle in the ca_file file option, and the Consul cert in the cert_file option in Consul’s config, then Consul will start up just fine. However, the Consul UI presents only the end-entity certificate in my browser (not the intermediate), so my browser doesn’t trust the Consul UI.

Does Consul have any way to present its full certificate chain for the Consul UI? If so, how do you configure that?

Aaaaand in classic tech fashion we figured out the solution. It turns out that I had the order of the intermediate and end-entity certificate backward in my cert bundle (and openssl verify output deceived me into thinking the bundle order was okay). The working configuration is as follows:

• ca_cert parameter: points to the root cert only.
• cert_file parameter: points to a file that contains the end-entity certificate and the intermediate certificate (where the end-entity certificate is first).

When I followed the above pattern, my browser presented the whole certificate chain (instead of just the end-entity certificate–as it was doing before).