TLS certificate are not renewed with Vault backend

Hello !

I’ve an issue with my consul deployment configure with Vault as a secret backend. In my logs, I can see for the communication between my 2 gateways instances:

grpc/logging.go:55: consul-api-gateway-server.sds-server: [core][Server #1] grpc: Server.Serve failed to create ServerTransport: connection error: desc = "ServerHandshake(\"\") failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-11-04T12:50:51Z is after 2022-10-27T09:40:06Z" 

So I assume something has not happened, but I have no idea how this certificate is supposed to be renewed.

In consul server, I can see:

2022-11-04T16:29:38.739Z [INFO] Successfully renewed token for Vault provider 

So I assume it’s partially working…

Any idea on where I should watch ?

If anybody encounter this issuer, it was linked to the certification chain which wasn’t coherent. The root CA for consul was about to expire and you cannot renew it. I had to recreate a root CA with a very long TTL and reconfigure everything. It is alright now :slight_smile: