Enabling TLS in multi datacenter setup without outage

Hi All,

I currently have a multiple datacenters setup. I was trying to enable TLS encryption among the agents in my setup. While doing so, I have found that there is downtime in communication between the two data centers.

I have gone through the article “Update Consul agents to securely communicate with TLS” and followed the steps in it. The article also does note mention multi datacenter setup in it.

We have database application that tries to connect with another database in remote datacenter very frequently (less than 5 seconds). we observed that it went down.

Is it even possible to enable TLS encryption in a multi datacenter setup without any downtime or outage?

Hi @rvsnssriram90,

Can you provide more information regarding what went wrong in your environment?

The tutorial you referenced is designed to allow you to rollout TLS in an existing datacenter without downtime. It’d be helpful to understand specifically where you ran into issues with these instructions.

Hi Blake,

The environment consists of two existing datacenters (Primary and Secondary) and each data centers consists of 3 consul servers and about 50 agents.

we observed a communication failure between the two datacenters. One of our application could not resolve a remote FQDN.

During that time, the Primary has TLS enabled and the Secondary has verify_incoming and verify_outgoing (False, False) . The failure is observed till the Secondary consul servers are converted to (True, True).

Is it possible to rollout TLS encryption in a both datacenters without any kind of failure in communication or FQDN resolution between the datacenters?