We have been running Consul for a few years, with certs enabled. We have now decided that we’re sufficiently locked down that we can stop using consul certs (if we were to continue we’d have to replace root certs anyway, so we’re forced to make some changes).
My question is:
Is it possible to transition between cert-enabled and cert-disabled state without bringing down the entire cluster?
I’ve tried setting the
verify_* fields to false in the hope that that would make a cert-enabled node accept traffic from a cert-disabled node, but that doesn’t seem to be working. (I’m getting a bunch of
consul.rpc: failed to read byte: tls: no certificates configured from=10.245.20.67:55783 logged on the cert-disabled node).
I guess I was hoping that even if the client has the
key_file, cert_file, ca_file fields configured, it would still be able to accept traffic from other nodes without those fields configured, but that does not seem to be the case.
So to sum up, I’m looking for pointers on how to make this transition without bringing down the entire consul infrastructure.