TLS handshake failure

Hello, I’ve been unable to resolve TLS related errors, these are the errors:

[ERROR] agent.server.memberlist.wan: memberlist: failed to receive: Encryption is configured but remote state is not encrypted

[ERROR] agent.auto_config: No servers successfully responded to the auto-encrypt request

[ERROR] agent.server.rpc: TLS handshake failed: conn=from=13.42.67.159:44830 error=“tls: client didn’t provide a certificate”

Here is my config.yaml, any insights is greatly appreciated:

global:
enabled: true
name: consul
datacenter: dc1
image: ‘consul:1.8.4’

gossipEncryption:
secretName: “consul-gossip-encryption-key”
secretKey: “key”

tls:
enabled: true
enableAutoEncrypt: true
httpsOnly: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]
verify: true

server:
replicas: 3
bootstrapExpect: 3
storage: 10Gi
connect: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]

terminatingGateways:
enabled: true
defaults:
replicas: 1

sidecarProxy:
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 100mi
cpu: 100m

connectInject:
enabled: true
default: false

services:
backend: backend.service.consul

ui:
enabled: true
service:
type: ‘NodePort’

syncCatalog:
enabled: true
default: true
toConsul: true
toK8s: true

global:
enabled: true
name: consul
datacenter: dc1
image: ‘consul:1.8.4’

gossipEncryption:
secretName: “consul-gossip-encryption-key”
secretKey: “key”

tls:
enabled: true
enableAutoEncrypt: true
httpsOnly: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]
verify: true

server:
replicas: 3
bootstrapExpect: 3
storage: 10Gi
connect: true
serverAdditionalDNSSANs: ["‘consul.service.consul’"]

terminatingGateways:
enabled: true
defaults:
replicas: 1

sidecarProxy:
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 100mi
cpu: 100m

connectInject:
enabled: true
default: false

services:
backend: backend.service.consul

ui:
enabled: true
service:
type: ‘NodePort’

syncCatalog:
enabled: true
default: true
toConsul: true
toK8s: true

client:
enabled: true
grpc: true
extraVolumes:

  • type: ‘secret’
    name: ‘consul-gossip-encryption-key’
    load: false
    affinity: null
    resources:
    requests:
    memory: ‘25Mi’
    cpu: ‘20m’
    limits:
    memory: ‘50Mi’
    cpu: ‘20m’

I’m not really sure how you’re trying to stand up your cluster here, but it seems like you’re either including invalid certificates, or none at all (in the case of that client error).

That auto-encrypt error suggests that the server certificates might not be signed by the same (or a mutually recognised) CA, if I’m not mistaken.

Are your certs in environment variables? I don’t understand how you’re passing your gossip key either; when is that generated?

JJ

I can’t find any certificates, either.

The gossip encryption key is injected using a kubernetes secret. :wink:

2 Likes

Thanks for the reply…

I created the certs via cert-manager, and the certs reside in the same namespace as consul. The gossip key was created the way it is explained in the docs, so I’m missing how to get these certs injected… Do I need to do this via extraConfig? I tried extraVolumes with not success.

I added the following to the config:

caCert:
secretName: consul-certs
secretKey: tls.crt
caKey:
secretName: consul-certs
secretKey: tls.key

The new error message is:

Unable to attach or mount volumes: unmounted volumes=[consul-ca-cert consul-ca-key], unattached volumes=[consul-ca-cert consul-ca-key consul-tls-init-token-6jqqv]: timed out waiting for the condition

and of course it can’t find it:

MountVolume.SetUp failed for volume “consul-ca-cert” : secret “consul-certs” not found