TLS handshake failure

Consul
1

Hello, I’ve been unable to resolve TLS related errors, these are the errors:

[ERROR] agent.server.memberlist.wan: memberlist: failed to receive: Encryption is configured but remote state is not encrypted

[ERROR] agent.auto_config: No servers successfully responded to the auto-encrypt request

[ERROR] agent.server.rpc: TLS handshake failed: conn=from=13.42.67.159:44830 error=“tls: client didn’t provide a certificate”

Here is my config.yaml, any insights is greatly appreciated:

global:
enabled: true
name: consul
datacenter: dc1
image: ‘consul:1.8.4’

gossipEncryption:
secretName: “consul-gossip-encryption-key”
secretKey: “key”

tls:
enabled: true
enableAutoEncrypt: true
httpsOnly: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]
verify: true

server:
replicas: 3
bootstrapExpect: 3
storage: 10Gi
connect: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]

terminatingGateways:
enabled: true
defaults:
replicas: 1

sidecarProxy:
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 100mi
cpu: 100m

connectInject:
enabled: true
default: false

services:
backend: backend.service.consul

ui:
enabled: true
service:
type: ‘NodePort’

syncCatalog:
enabled: true
default: true
toConsul: true
toK8s: true

global:
enabled: true
name: consul
datacenter: dc1
image: ‘consul:1.8.4’

gossipEncryption:
secretName: “consul-gossip-encryption-key”
secretKey: “key”

tls:
enabled: true
enableAutoEncrypt: true
httpsOnly: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]
verify: true

server:
replicas: 3
bootstrapExpect: 3
storage: 10Gi
connect: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]

terminatingGateways:
enabled: true
defaults:
replicas: 1

sidecarProxy:
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 100mi
cpu: 100m

connectInject:
enabled: true
default: false

services:
backend: backend.service.consul

ui:
enabled: true
service:
type: ‘NodePort’

syncCatalog:
enabled: true
default: true
toConsul: true
toK8s: true

client:
enabled: true
grpc: true
extraVolumes:

  • type: ‘secret’
    name: ‘consul-gossip-encryption-key’
    load: false
    affinity: null
    resources:
    requests:
    memory: ‘25Mi’
    cpu: ‘20m’
    limits:
    memory: ‘50Mi’
    cpu: ‘20m’
2

I’m not really sure how you’re trying to stand up your cluster here, but it seems like you’re either including invalid certificates, or none at all (in the case of that client error).

That auto-encrypt error suggests that the server certificates might not be signed by the same (or a mutually recognised) CA, if I’m not mistaken.

Are your certs in environment variables? I don’t understand how you’re passing your gossip key either; when is that generated?

JJ

3

I can’t find any certificates, either.

The gossip encryption key is injected using a kubernetes secret. :wink:

2 Likes
4

Thanks for the reply…

I created the certs via cert-manager, and the certs reside in the same namespace as consul. The gossip key was created the way it is explained in the docs, so I’m missing how to get these certs injected… Do I need to do this via extraConfig? I tried extraVolumes with not success.

I added the following to the config:

caCert:
secretName: consul-certs
secretKey: tls.crt
caKey:
secretName: consul-certs
secretKey: tls.key

The new error message is:

Unable to attach or mount volumes: unmounted volumes=[consul-ca-cert consul-ca-key], unattached volumes=[consul-ca-cert consul-ca-key consul-tls-init-token-6jqqv]: timed out waiting for the condition

and of course it can’t find it:

MountVolume.SetUp failed for volume “consul-ca-cert” : secret “consul-certs” not found

5

Hi, would like to know if this issue is resolved. And I need some help in using the certs created by cert-manager. Can you please let me know what/how you are getting the private key for the CA.

6

Basically I also got the same issue and looking for some help in how to incorporate certs generated by cert-manager. Appreciate your help. Thanks

7

Hi!

Well, you could go a few different ways, I suppose, but one way would be to create an intermediate CA in Vault by generating the appropriate CSR that you would sign with your cert-manager-generated CA certificate. You could then write that signed certificate back into Vault and start building roles around this new intermediate CA to generate the certificates that you need in your environment.

There are tutorials on HashiCorp’s Learn pages, or you could follow something like this: