End to end tls for Vault

I am setting up a new production Vault cluster in Azure using VMs. The setup consists of a 5 node consul cluster for the storage backend and a 3 node Vault cluster.

In terms of TLS, I have set up self signed certificates for the Vault nodes and configured them to use HTTPS.

To have end to end tls, do I need to configure consul to use tls and distribute certificates to the consul clients on the Vault server?

What’s the best practice here and does anyone have any guides I can follow? I followed the consul guide for enabling RPC encryption but it messes up Vault as consul complains that the cert is signed by an unknown authority. Its making me wonder if I need to do this to have full end to end tls

Great question! We have a general deployment guide here and as I look at it, I note that Consul’s TLS isn’t configured in it. Consul does support TLS and it would be preferable to use it. To that end, here’s a short example. Your question is broader than the short example, so I think this should cover the rest.

Thanks @tyrannosaurus-becks. The last link is what I was using to configure the tls for Vault. I spun down and spun up the cluster again and followed the guide all the way. I’m still getting the following error message: storage migration check error: error="Get https://127.0.0.1:8501/v1/kv/vault/core/migration: x509: certificate signed by unknown authority"

Any ideas what I’m missing?

Hi. That error is occurring while Vault is attempting a storage read. Have you configured the storage stanza of Vault to include TLS information for consul? e.g. these parameters: https://www.vaultproject.io/docs/configuration/storage/consul.html#tls_ca_file

Hi @kalafut thanks for your message. I figured out that it was that tls config that was missing from the storage stanza so it’s working now. I meant to update the status of it here but been swamped with other configurations for the cluster.

Thanks all for your help.

1 Like

Apologies for resurrecting this thread from the dead. Just needed additional clarification.

So, if you have a Vault+Consul cluster and you want to implement end-to-end TLS, is it accurate to say you need all the following:

In the Consul Servers and Clients config files, you need to specify the following parameters:
key_file
cert_file
ca_file

In the Vault Servers config files, you need to specify the following in the listener stanza:
tls_cert_file
tls_key_file

Additionally, you need to specify the following in the storage (consul) stanza:
tls_cert_file
tls_key_file
tls_ca_file

Is that correct?

1 Like