TLS certificate are not renewed with Vault backend

val · November 4, 2022, 5:10pm

Hello !

I’ve an issue with my consul deployment configure with Vault as a secret backend. In my logs, I can see for the communication between my 2 gateways instances:

grpc/logging.go:55: consul-api-gateway-server.sds-server: [core][Server #1] grpc: Server.Serve failed to create ServerTransport: connection error: desc = "ServerHandshake(\"10.42.0.175:37670\") failed: tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2022-11-04T12:50:51Z is after 2022-10-27T09:40:06Z"

So I assume something has not happened, but I have no idea how this certificate is supposed to be renewed.

In consul server, I can see:

2022-11-04T16:29:38.739Z [INFO] connect.ca.vault: Successfully renewed token for Vault provider

So I assume it’s partially working…

Any idea on where I should watch ?

val · December 9, 2022, 4:53pm

If anybody encounter this issuer, it was linked to the certification chain which wasn’t coherent. The root CA for consul was about to expire and you cannot renew it. I had to recreate a root CA with a very long TTL and reconfigure everything. It is alright now

Topic		Replies	Views
Consul Connect: Vault as a CA \| connect proxy communication issue \| x509 certificate has expired or is not yet valid Consul connect	1	986	August 13, 2020
Consul Connect CA w/ Vault Consul	4	1164	January 14, 2021
Consul TLS cert rotation for Consul Client and Server on Kubernetes Consul k8s , helm	4	1083	March 8, 2024
Root certificate rotation ends up in "x509: certificate has expired or is not yet valid" Consul	0	3075	March 3, 2021
Consul-teamplate not able to renew vault token K8s Vault k8s	1	1692	September 10, 2020

TLS certificate are not renewed with Vault backend

Related topics