I am setting up a new production Vault cluster in Azure using VMs. The setup consists of a 5 node consul cluster for the storage backend and a 3 node Vault cluster.
In terms of TLS, I have set up self signed certificates for the Vault nodes and configured them to use HTTPS.
To have end to end tls, do I need to configure consul to use tls and distribute certificates to the consul clients on the Vault server?
What’s the best practice here and does anyone have any guides I can follow? I followed the consul guide for enabling RPC encryption but it messes up Vault as consul complains that the cert is signed by an unknown authority. Its making me wonder if I need to do this to have full end to end tls
Great question! We have a general deployment guide here and as I look at it, I note that Consul’s TLS isn’t configured in it. Consul does support TLS and it would be preferable to use it. To that end, here’s a short example. Your question is broader than the short example, so I think this should cover the rest.
Thanks @tyrannosaurus-becks. The last link is what I was using to configure the tls for Vault. I spun down and spun up the cluster again and followed the guide all the way. I’m still getting the following error message: storage migration check error: error="Get https://127.0.0.1:8501/v1/kv/vault/core/migration: x509: certificate signed by unknown authority"
Any ideas what I’m missing?
Hi. That error is occurring while Vault is attempting a storage read. Have you configured the storage
stanza of Vault to include TLS information for consul? e.g. these parameters: https://www.vaultproject.io/docs/configuration/storage/consul.html#tls_ca_file
Hi @kalafut thanks for your message. I figured out that it was that tls config that was missing from the storage stanza so it’s working now. I meant to update the status of it here but been swamped with other configurations for the cluster.
Thanks all for your help.
1 Like
Apologies for resurrecting this thread from the dead. Just needed additional clarification.
So, if you have a Vault+Consul cluster and you want to implement end-to-end TLS, is it accurate to say you need all the following:
In the Consul Servers and Clients config files, you need to specify the following parameters:
key_file
cert_file
ca_file
In the Vault Servers config files, you need to specify the following in the listener stanza:
tls_cert_file
tls_key_file
Additionally, you need to specify the following in the storage (consul) stanza:
tls_cert_file
tls_key_file
tls_ca_file
Is that correct?
1 Like