Hello,
I have to replace the existing wildcard cert - signed from Digicert - to a new one. I saw, that Consul is unable to connect to the cluster. The old looks like this:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, L = Frankfurt am Main, O = <redacted>, CN = *.example.com
verify return:1
The new one, looks like this:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, ST = Hessen, L = Frankfurt am Main, O = <redacted>, CN = *.example.com
verify return:1
I tried to disable verify … on incoming and outgoing … on a Consul server to make consul agent working (again), but it makes it worst … and the Consul Server was pretty unhappy, so I had to revert my changes.
The settings:
...
"cert_file": "/etc/ssl/private/example_chain.crt",
"key_file": "/etc/ssl/private/example.com.key",
"ca_path": "/usr/share/ca-certificates/example/",
"tls_min_version": "tls12",
"tls_cipher_suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"disable_anonymous_signature": false,
"disable_remote_exec": true,
"verify_incoming": false,
"verify_incoming_rpc": true,
"verify_outgoing": true,
...
Means, I have to replace it all at once … which is pretty dangerous … is there a way, to make it possible, that the node is able to talk also to the nodes, with the old certificate ?
cu denny