Hi @heatzync,
When you enable auto_encrypt, the Consul Client agent certificates are signed by the ConnectCA (built-in CA in Consul).
So, when your Nomad agents communicate to Consul Agents using Auto-Encrypt certificates, you should be using the ConnectCA CA Certificate in the ca_file option in the consul {} block of Nomad configuration.
You can fetch the ConnectCA CA Cert by hitting the following endpoint.
$ curl 127.0.0.1:8500/v1/connect/ca/roots | jq -r '.Roots[].RootCert' > ca.crt
ref: Certificate Authority - Connect - HTTP API | Consul | HashiCorp Developer
I hope this helps.