2020-08-06T18:18:48.158Z [INFO] agent.server.connect: initialized primary datacenter CA with provider: provider=consul
2020-08-06T18:18:48.158Z [INFO] agent.leader: started routine: routine="federation state anti-entropy"
2020-08-06T18:18:48.158Z [INFO] agent.leader: started routine: routine="federation state pruning"
2020-08-06T18:18:48.158Z [INFO] agent.leader: started routine: routine="CA root pruning"
Q. Do the “Connect CA” messages continue after restarting the servers?
A. Yes, they continue even after restarting the servers. I even tried to delete data folder and start from fresh… but it still shows Consul as CA provider. Verified the root certificate from the /v1/ca/connect/roots endpoint as well.
I had a similar issue with the CA configuration not being updated properly I had to “helm delete” the chart and to manually delete the persistent volume claims from consul so the changes were reflected on the next installation
I thought you were using persistent volumes. BTW verify if there is any other thing that you can delete so your configuration is updated correctly. Also you can try calling the consul connect API to update the CA provider on fly.
For Vault, the document states that it creates on its own and mounts the path for.
root_pki_path
intermediate_pki_path
RootPKIPath / root_pki_path ( string: <required> ) - The path to a PKI secrets engine for the root certificate. If the path doesn’t exist, Consul will attempt to mount and configure this automatically.
IntermediatePKIPath / intermediate_pki_path ( string: <required> ) - The path to a PKI secrets engine for the generated intermediate certificate. This certificate will be signed by the configured root PKI path. If this path doesn’t exist, Consul will attempt to mount and configure this automatically.
As for the Vault information - when you launch Consul, do you see those paths created in Vault at all?
Also - I have heard from several people this is a pain point, but there is content coming that will help alleviate this pain point. I’ll be sure to post it here and in the Consul/Vault forums when launched.
thankyou soo much … after tallying the config … i realised that i was missing semi-colon after the ca_config attributes… after fixing that ; vault as a CA could appear in logs and corresponding paths created in vault.
One thing to improve here is when i specify the config in .hcl file … its gives no errors in the log… however if i rename the config to .json file … it gives me the errors and thats when we get to know if there are parsing issues.
This is something .hcl formatted files should come up with… right error logging… if there are any.