TLS Encryption : Need Help on "x509: certificate signed by unknown authority" / Unclear documentation

Hi ,
I am following this documentation

My error is saying the certificate does not match with the domain created

I need more clarity on this command

$ consul tls ca create

For example
Server name : example.dev.corp.com

What should be passed as domain ?

Is this the correct way to create certificate for the domain

consul tls ca create --domain=dev.corp.com -name-constraint=dev.corp.com

I would appreciate a similar example for below command:

consul tls cert create -server

Example hostname server1.dev.corp.com

I need a real time scenario example as i am not able to proceed with the cluster TLS encryption.

A lot of people had similar issues reported here . But they had set ''verify_server_hostname = false ‘’ and got the cluster working

The documentation clear says the below :

Without verify_server_hostname = true` an attacker could compromise a Consul client agent and restart the agent as a server in order to get access to all the data in your datacenter! This is why server certificates are special, and only servers should have them provisioned.

I would appreciate help on this matter .

Error:
020-09-22T10:18:27.214Z [ERROR] agent.anti_entropy: failed to sync remote state: error="rpc error getting client: failed to get conn: x509: certificate is valid for server.dctest.consul, localhost, not server.dc1.consul"

This is causing issues further down the line when i am trying to add new client agents. With ACL

Similar issues -

@blake

Inspite of mentioning --domain and -name-constraint

While creating certificate using TLS , i am still getting the same error

not server.dc1.consul

How to override this check , to verify with correct name
Consul only verifies my -name-constraint passed with server.dc1.consul

CN = server.dc1.consul
This needs to be overridden with different value while creating the certificates,
Is the any option or work around for this ?

I couldn’t find any document or suggestion from this site that could help .
Any help would be appreciated

Hello,

You should use the following flags when generating certificates :

consul tls cert create -server -dc="dc1" -additional-ipaddress="172.16.32.10" -domain="consul.company.com" -additional-dnsname="consul-dc1.server.dc1.consul.company.com"

You are missing some SAN fields in your current certificates. I am pretty sure that the IP flag is also mendatory as I had the same kind of message as you do but with IPs.

Hope it helps.

Regards,
Marius