Hi, I am a Consul / Nomad newbie and I’m in the process of setting up my first cluster. I’ve deployed Nomad and Consul successfully in a basic configuration with server A running consul server / nomad server, and server B running consul client / nomad client. I have ACL and TLS enabled on both Consul and Nomad and everything seems OK in the Consul dashboard.
I am following the tutorial at Consul ACL with Nomad Workload Identities | Nomad | HashiCorp Developer to set up Nomad so that it can authenticate with the consul ACL when submitting jobs. However, I’ve run into an issue adding the authentication method. Firstly, I had to change the snippet from the tutorial to be HTTPS and to target the IP my nomad server was listening on at 10.0.0.2. When I try to execute the command
consul acl auth-method create -name 'nomad-workloads' -type 'jwt' -description 'JWT auth method for Nomad services and workloads' -config '@nomad-workload-auth-method.json' I get the following error:
Failed to create new auth method: Unexpected response code: 500 (Invalid Auth Method:
error checking JWKSURL: fetching keys oidc: get keys failed Get "https://10.0.0.2:4646/.well-
known/jwks.json": tls: failed to verify certificate: x509: certificate signed by unknown
My assumption here based on the 500 error code is this is a request the Consul agent is making, rather than my CLI, and it is failing to verify the certificate authority.
What I’ve tried: I realized that I had configured the cluster with two separate CAs for nomad and Consul following the separate tutorials, however I unified these under one CA but the same error persisted. I also found this note about mutual TLS but setting
tls.verify_https_client to false in the Nomad client and server configuration hasn’t changed anything either.
What’s interesting is that I am able to do
curl https://10.0.0.2:4646/.well-known/jwks.json --cacert ~/certs/cluster-agent-ca.pem (with my shared CA) and I get the JWKS returned just fine. So I suppose it may be possible to set up a proxy to the Nomad JWKS endpoint, which is one of the other recommendations in the documentation, but I’m wondering if there may be an easier way out…
Thanks in advance for any help you may be able to provide