hi,
we are getting error tls: failed to verify client certificate: x509: certificate specifies an incompatible key usage
after upgrading Consul cluster ver. 1.5.0 to ver 1.10.1
Cluster is secured with private CA Root and certificates generated manually with openssl.
Doc says,
Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS,
Consul requires that all servers have certificates that are signed by a single Certificate
Authority(CA). Clients should also have certificates that are authenticated with the same CA.
Our server ans client certificates are all signed by our own single CA, and it worked pretty well in 1.5.0.
Did Consul change the requirements for the certificates, KeyUsage extension in particular ?
Here is our CA:
# openssl x509 -in /etc/consul/ca_cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15108077621273896588 (0xd1aaac8cef0f268c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=consulroot, DC=acme, DC=com
Validity
Not Before: Jan 9 23:15:21 2019 GMT
Not After : Jan 22 23:15:21 2047 GMT
Subject: CN=consulroot, DC=acme, DC=com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:d3:5a:f1:e5:d8:30:71:95:e5:21:08:0a:92:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:08:7C:1C:CC:09:DC:84:55:BD:AB:3D:68:85:8D:C5:4E:AC:D3:56
X509v3 Authority Key Identifier:
keyid:43:08:7C:1C:CC:09:DC:84:55:BD:AB:3D:68:85:8D:C5:4E:AC:D3:56
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
and here is the server certificate :
# openssl x509 -in /etc/consul/server.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1557925085 (0x5cdc0cdd)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=consulroot, DC=acme, DC=com
Validity
Not Before: May 15 12:58:05 2019 GMT
Not After : May 12 12:58:05 2029 GMT
Subject: C=US, ST=MA, L=Boston, O=ACME, CN=server-01e.acme.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ed:21:2e:d8:06:a1:1f:da:b1:6b:06:95:21:10
39:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Key Usage:
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
03:0C:58:4F:0F:76:E4:73:11:E1:8A:3C:6A:FC:E1:50:81:87
X509v3 Authority Key Identifier:
keyid:43:08:7C:1C:CC:09:DC:84:55:BD:AB:3D:68:85:8D
Signature Algorithm: sha256WithRSAEncryption
44:1c:f3:2f:21:45:e8:0d:ce:8b:14:27:e7:4a:32:8f:e3:61:
So the question is what is causing this incompatible key usage error ?
Are there up-to-date instructions how to generate private CA and server/client certs with OpenSSL ?