Tls: failed to verify client certificate: x509: certificate specifies an incompatible key usage

hi,

we are getting error tls: failed to verify client certificate: x509: certificate specifies an incompatible key usage after upgrading Consul cluster ver. 1.5.0 to ver 1.10.1

Cluster is secured with private CA Root and certificates generated manually with openssl.

Doc says,

Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS,
Consul requires that all servers have certificates that are signed by a single Certificate
Authority(CA). Clients should also have certificates that are authenticated with the same CA.

Our server ans client certificates are all signed by our own single CA, and it worked pretty well in 1.5.0.

Did Consul change the requirements for the certificates, KeyUsage extension in particular ?

Here is our CA:

# openssl x509 -in /etc/consul/ca_cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15108077621273896588 (0xd1aaac8cef0f268c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=consulroot, DC=acme, DC=com
        Validity
            Not Before: Jan  9 23:15:21 2019 GMT
            Not After : Jan 22 23:15:21 2047 GMT
        Subject: CN=consulroot, DC=acme, DC=com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:d3:5a:f1:e5:d8:30:71:95:e5:21:08:0a:92:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                43:08:7C:1C:CC:09:DC:84:55:BD:AB:3D:68:85:8D:C5:4E:AC:D3:56
            X509v3 Authority Key Identifier: 
                keyid:43:08:7C:1C:CC:09:DC:84:55:BD:AB:3D:68:85:8D:C5:4E:AC:D3:56
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption

and here is the server certificate :

# openssl x509 -in /etc/consul/server.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1557925085 (0x5cdc0cdd)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=consulroot, DC=acme, DC=com
        Validity
            Not Before: May 15 12:58:05 2019 GMT
            Not After : May 12 12:58:05 2029 GMT
        Subject: C=US, ST=MA, L=Boston, O=ACME, CN=server-01e.acme.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ed:21:2e:d8:06:a1:1f:da:b1:6b:06:95:21:10
                    39:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Key Usage: 
                Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                03:0C:58:4F:0F:76:E4:73:11:E1:8A:3C:6A:FC:E1:50:81:87
            X509v3 Authority Key Identifier: 
                keyid:43:08:7C:1C:CC:09:DC:84:55:BD:AB:3D:68:85:8D

    Signature Algorithm: sha256WithRSAEncryption
         44:1c:f3:2f:21:45:e8:0d:ce:8b:14:27:e7:4a:32:8f:e3:61:

So the question is what is causing this incompatible key usage error ?

Are there up-to-date instructions how to generate private CA and server/client certs with OpenSSL ?

Hello, do you have the steps used to generate your certificates?

Our latest documented steps to generate certs with OpenSSL is here: https://learn.hashicorp.com/tutorials/consul/tls-encryption-openssl-secure

Do the certs generated from above still cause the issue?

confirmed - our custom-built certificates were the problem.
problem gone after we generated new tls certs.