I went the route of uses AWS certificate manager to create the certs instead of auto encryption so not sure there. I leveraged the user data portion of Cloudformation to install consul and would create certs for all instances using consul with SAN. This is more for a management network, so I would have services like, consul, vault, jenkins, grafana and elk. I would run the:
aws acm request-certificate --domain-name $thisModule.node.consul --validation-method DNS --subject-alternative-names $thisModule.node.$DATACENTER.consul $thisModule.service.consul --certificate-authority-arn subordinateCAarn --tags Key=Name,Value=$thisModule --output text
That would give me back the arn of the cert created and then I would export the cert using the “aws acm export-certificat” command, and make a keystore, truststore or whatever the service required from that.
I elected this route so that if let’s say my jenkins worker died, I have it on an ASG and upon instance creation it would firs look to see if the jenkins cert existed, if not, it would create it, but it always have to export to create cert/jks/ etc.
Hashicorp has good documentation on this, in the Openssl TLS section. Sorry I am not providing a link.
Last thing. I have a three node consul cluster and I was having issues wtih consulUI. SO I launched an ec2-instance that served as the consul ui. Meaning, all other services including the consul servers where configured with
“ui_config”: {
“enabled”:“false”
}
“verify_incoming”: true
“verify_outgoing”: true
Then on the server that I called ConsulUI I had these settings
“ui_config”: {
“enabled”:“true”,
“content_path”:"/consului/"
},
“verify_incoming”: false,
“verify_incoming_rpc”: true,
“verify_outgoing”: true
I had to add the content_path setting above because I access all services behind a reverse proxy but consul and vault both use /ui/ for content path and that was causing issues. Consul supports the content_path but Vault does not, well at least 1.4 does not. I am using 1.9.5 consul and will upgrade vault when customer gives approval.
Not sure if this helps, but putting it out there as it did take a while reading consul docs to find all the right combinations