Tls webhook error

I am not able to create any deployment in my k8’s cluster as a result of consul which gives me below error

Error creating: Internal error occurred: failed calling webhook "consul-connect-injector.consul.hashicorp.com": failed to call webhook: Post "https://consul-connect-injector-svc.consul.svc:443/mutate?timeout=10s": x509: certificate has expired or is not yet valid: current time 2021-11-28T05:39:09Z is after 2021-11-26T17:40:33Z

How do I check the tls cert for connect injector and rotate the cert ? Can someone help with to explain this error to me what exactly it is trying to do here and how can I resolve this please.

That’s not really a consul issue. Depends on which ingest product you’re using. You should check there. Most likely the cert was generated from your cert-manager service, so check both places.

As a side note, I’m not as familiar with Consul but in Vault, best practice is to set to ingest service to pass-thru and manage the certs at Vault. There are specific reasons for that for Vault which I don’t think are valid for Consul, but it’s an option.

Hello @aram thanks for the help. If I don’t want use certs at all, then how can I turn it off so consul webhook doesn’t verify it ?

By default consul doesn’t enable TLS, if you don’t have it configured in consul then it’s enabled on your ingress.

Hello @aram I don’t see any tls on my ingress. Can you explain what does exactly the error mean and what it is doing ?

x509 is a TLS certificate that is either invalid, or most likely is self-signed and just isn’t a trusted certificate (which is normal for a self-signed cert).

Thanks @aram I have understood that part with the error as it is straightforward, I am looking from the consul webhook side of things. What the webhook is doing with the cert and why it was not able to complete the request