Puzzled with CA certs

Hi everyone,

I’m confused with managing Consuls internal CA and cert distribution.

From what I know, to enable TLS in consul (using self-signed certificates generated by Consul), the first step is to generate a CA certificate and keyfile using the consul tls ca create command. This creates two files:

• consul-agent-ca.pem
• consul-agent-ca-key.pem

According to the Deployment Guide, the first file (consul-agent-ca.pem) is used with the ca_file parameter and needs to be copied over to all agents in order to enable all agents to verify certificates issued by this CA.

But when I try to use the HTTPS interface to query the API, I receive an error:

> consul catalog services
Error listing services: Get "https://127.0.0.1:8501/v1/catalog/services": x509: certificate signed by unknown authority
> set | grep CONSUL_CACERT
CONSUL_CACERT=/etc/consul.d/CA/consul-agent-ca.pem
> openssl x509 -text -in ${CONSUL_CACERT}
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            19:58:6f:c9:52:f3:63:58:e8:a3:5c:56:42:99:98:22
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = CA, L = San Francisco, street = 101 Second Street, postalCode = 94105, O = HashiCorp Inc., CN = Consul Agent CA 33689889316172641290330051500966516770
        Validity
            Not Before: Aug 18 16:29:01 2022 GMT
            Not After : Aug 17 16:29:01 2027 GMT
        Subject: C = US, ST = CA, L = San Francisco, street = 101 Second Street, postalCode = 94105, O = HashiCorp Inc., CN = Consul Agent CA 33689889316172641290330051500966516770
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ff:b5:4b:8f:07:32:9f:ac:87:f3:bd:e6:aa:51:
                    11:85:8e:61:65:a2:ee:2a:11:58:26:7e:6d:0b:3e:
                    78:5a:a9:77:5c:fa:36:4b:87:89:14:82:66:07:de:
                    d3:a9:89:1f:8a:7d:e0:ef:09:a2:08:8e:4c:4f:49:
                    63:96:33:51:01
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                D5:49:88:B5:5B:5C:CA:26:53:1B:B7:85:E7:76:1B:CE:B9:B8:A2:6B:02:01:B3:C1:5A:8C:3F:84:D2:B4:94:C4
            X509v3 Authority Key Identifier:
                keyid:D5:49:88:B5:5B:5C:CA:26:53:1B:B7:85:E7:76:1B:CE:B9:B8:A2:6B:02:01:B3:C1:5A:8C:3F:84:D2:B4:94:C4

    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:6b:78:23:d6:a5:b4:4a:45:97:fb:7e:29:a8:bf:
         eb:f9:76:81:0c:23:f0:c2:f5:d5:fd:a4:12:b5:d5:63:4b:21:
         02:20:28:04:a5:1f:68:a4:a9:5b:00:ea:76:82:ce:95:d7:c7:
         0f:db:53:68:9a:e1:75:f6:dd:ff:ac:23:35:33:54:21
-----BEGIN CERTIFICATE-----
MIIC6jCCApGgAwIBAgIQGVhvyVLzY1joo1xWQpmYIjAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
MzM2ODk4ODkzMTYxNzI2NDEyOTAzMzAwNTE1MDA5NjY1MTY3NzAwHhcNMjIwODE4
MTYyOTAxWhcNMjcwODE3MTYyOTAxWjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgMzM2ODk4ODkzMTYxNzI2NDEyOTAz
MzAwNTE1MDA5NjY1MTY3NzAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT/tUuP
BzKfrIfzveaqURGFjmFlou4qEVgmfm0LPnhaqXdc+jZLh4kUgmYH3tOpiR+KfeDv
CaIIjkxPSWOWM1EBo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
/zApBgNVHQ4EIgQg1UmItVtcyiZTG7eF53Ybzrm4omsCAbPBWow/hNK0lMQwKwYD
VR0jBCQwIoAg1UmItVtcyiZTG7eF53Ybzrm4omsCAbPBWow/hNK0lMQwCgYIKoZI
zj0EAwIDRwAwRAIga3gj1qW0SkWX+34pqL/r+XaBDCPwwvXV/aQStdVjSyECICgE
pR9opKlbAOp2gs6V18cP21NomuF19t3/rCM1M1Qh
-----END CERTIFICATE-----

Following a hint from Discuss user @laukaichung in another thread, one must grab the HTTP cert via HTTP, store it somewhere and set CONSUL_CACERT pointing to that file, which differs from what’s in the file /etc/consul.d/CA/consul-agent-ca.pem from CA generation:

> curl -k  http://127.0.0.1:8500/v1/connect/ca/roots | jq -r '.Roots[]."RootCert"' >> /ca.cert
> openssl x509 -text -in /ca.cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9 (0x9)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = pri-1v38s674.consul.ca.130259ea.consul
        Validity
            Not Before: Aug 18 16:29:22 2022 GMT
            Not After : Aug 15 16:29:22 2032 GMT
        Subject: CN = pri-1v38s674.consul.ca.130259ea.consul
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ab:7e:cd:8a:f4:c7:b5:0b:0d:94:46:c2:73:4a:
                    ff:23:60:1f:ac:43:57:5a:d1:03:d4:88:c2:a8:2d:
                    1f:ee:f3:61:2d:d1:32:13:a2:8e:81:80:39:08:1f:
                    18:29:d4:ae:73:a6:a6:00:51:d6:7c:1d:1b:c7:0b:
                    b2:02:4c:63:75
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                7E:6B:D2:C4:75:0E:BE:8F:BB:24:8C:77:B5:50:A9:CB:79:8E:48:03:2E:7F:A6:3F:44:E2:A5:6E:65:22:3E:F3
            X509v3 Authority Key Identifier:
                keyid:7E:6B:D2:C4:75:0E:BE:8F:BB:24:8C:77:B5:50:A9:CB:79:8E:48:03:2E:7F:A6:3F:44:E2:A5:6E:65:22:3E:F3

            X509v3 Subject Alternative Name:
                URI:spiffe://130259ea-c3ab-37d1-abf1-39af49c537fc.consul
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:d0:5f:c9:51:ce:dd:11:b5:22:c2:e2:65:dd:
         7c:50:93:b9:8c:0e:79:b5:1a:86:8c:67:50:83:7a:6f:84:94:
         7e:02:21:00:b9:15:c9:21:92:5b:b2:d9:27:5c:fe:47:3f:95:
         ef:40:85:7b:e2:45:a7:80:bf:26:f6:8d:34:bb:a7:e0:cc:6b
-----BEGIN CERTIFICATE-----
MIICEDCCAbWgAwIBAgIBCTAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMXYz
OHM2NzQuY29uc3VsLmNhLjEzMDI1OWVhLmNvbnN1bDAeFw0yMjA4MTgxNjI5MjJa
Fw0zMjA4MTUxNjI5MjJaMDExLzAtBgNVBAMTJnByaS0xdjM4czY3NC5jb25zdWwu
Y2EuMTMwMjU5ZWEuY29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEq37N
ivTHtQsNlEbCc0r/I2AfrENXWtED1IjCqC0f7vNhLdEyE6KOgYA5CB8YKdSuc6am
AFHWfB0bxwuyAkxjdaOBvTCBujAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zApBgNVHQ4EIgQgfmvSxHUOvo+7JIx3tVCpy3mOSAMuf6Y/ROKlbmUiPvMw
KwYDVR0jBCQwIoAgfmvSxHUOvo+7JIx3tVCpy3mOSAMuf6Y/ROKlbmUiPvMwPwYD
VR0RBDgwNoY0c3BpZmZlOi8vMTMwMjU5ZWEtYzNhYi0zN2QxLWFiZjEtMzlhZjQ5
YzUzN2ZjLmNvbnN1bDAKBggqhkjOPQQDAgNJADBGAiEA0F/JUc7dEbUiwuJl3XxQ
k7mMDnm1GoaMZ1CDem+ElH4CIQC5Fckhkluy2Sdc/kc/le9AhXviRaeAvyb2jTS7
p+DMaw==
-----END CERTIFICATE-----

From here, I am totaly puzzled which cert I need to set for tls.defaults.ca_file / ${CONSUL_CACERT}. I mean - obviously I know my Tools and how to extract whatever certificate from whereever, but I have no idea how I need to setup the TLS parts here to make them work. Consul acts as if I am dealing with completely different TLS chains here, even though I followed the Deployment guide on this and the CA file I configured (and even added to /usr/local/share/ca-certificates/consul_ca_root_certs.crt and ran update-ca-certificates) seems to be the correct one to verify the authenticity of the HTTPS API just fine:

> set | grep CONSUL_CACERT
CONSUL_CACERT=/etc/consul.d/CA/consul-agent-ca.pem
> openssl verify -verbose -CAfile ${CONSUL_CACERT} /ca.cert
/ca.cert: OK

Can someone tell me what I need to do to have working Auto Encryption and a working Consul CA that issues server certificates other from what I have done already?

Best regards,
Marc

Hi @The-Judge,

The key difference to understand here is that when using auto-encrypt, only the Consul Server Agent certificates are signed by the CA created using consul tls ca create. The Client agent certificates are signed using an internal CA (ConnectCA), the same CA used to create dynamic certs for the services running inside the Consul Service Mesh.

Keeping the above in mind, when interacting with a Consul Client Agent (that has TLS using auto-encrypt) using the HTTPS, it will present a certificate signed by the ConnectCA. This will require you to have your clients trust the ConnectCA roots for setting up a trusted connection.

You can fetch the ConnectCA roots and related information using this /v1/connect/ca/roots API endpoint.

$ curl http://localhost:8500/v1/connect/ca/roots

The following documentations will help you learn more about the ConnectCA:

• Connect - Certificate Management | Consul by HashiCorp
• Connect - Certificate Management | Consul by HashiCorp
• Certificate Authority - Connect - HTTP API | Consul by HashiCorp

I hope this helps.