Unable to connect to consul server, probably wrong client config

I’m trying to connect to consul server that is running with ACL enabled, but I’m unable, probably I’m missing something in config file, but I have no idea what this could be.

consul server server.json

{
 "primary_datacenter": "dc1",
 "acl": {
   "enabled": true,
   "default_policy": "deny",
   "enable_token_persistence": true,
   "down_policy": "extend-cache",
   "tokens": {
       "master": "8cc434fb-52d5-4f57-888e-847c6a3c34ed"
   }
 }
}

And here is the client.json

{
  "primary_datacenter": "dc1",
  "server": false,
  "acl": {
    "enabled": true,
    "tokens": {
        "master": "a3529542-4490-d412-4a38-447bc9048859"
    }
  }
}

I’m starting client with following command:

consul agent -data-dir=/consul/data -config-dir=/consul/config -bind=0.0.0.0 -enable-script-checks=true -node=default-apache-a -advertise=10.0.2.15 -hcl={"ports":{"serf_lan":49000}} -encrypt=YL7qKW5wIs0Nl0EHthci7w== -pid-file=/var/run/consul.pid

and this is from startup logs:

Jul 26 05:44:23 a default-apache[27611]: ==> Starting Consul agent...
Jul 26 05:44:23 a default-apache[27611]:            Version: 'v1.5.2'
Jul 26 05:44:23 a default-apache[27611]:            Node ID: '1bbd418b-11f5-0516-19d4-1c4083565fbc'
Jul 26 05:44:23 a default-apache[27611]:          Node name: 'default-apache-a'
Jul 26 05:44:23 a default-apache[27611]:         Datacenter: 'dc1' (Segment: '')
Jul 26 05:44:23 a default-apache[27611]:             Server: false (Bootstrap: false)
Jul 26 05:44:23 a default-apache[27611]:        Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: -1, DNS: 8600)
Jul 26 05:44:23 a default-apache[27611]:       Cluster Addr: 10.0.2.15 (LAN: 49000, WAN: 8302)
Jul 26 05:44:23 a default-apache[27611]:            Encrypt: Gossip: true, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false
Jul 26 05:44:23 a default-apache[27611]: 
Jul 26 05:44:23 a default-apache[27611]: ==> Log data will now stream in as it occurs:
Jul 26 05:44:23 a default-apache[27611]: 
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [INFO] serf: EventMemberJoin: default-apache-a 10.0.2.15
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [INFO] agent: Started DNS server 127.0.0.1:8600 (tcp)
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [INFO] agent: Started DNS server 127.0.0.1:8600 (udp)
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [WARN] agent/proxy: running as root, will not start managed proxies
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [INFO] agent: Started HTTP server on 127.0.0.1:8500 (tcp)
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [WARN] manager: No servers available
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:47334
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [WARN] manager: No servers available
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [ERR] agent: failed to sync remote state: No known Consul servers
Jul 26 05:44:23 a default-apache[27611]:     2019/07/26 08:44:23 [INFO] agent: started state syncer
Jul 26 05:44:23 a default-apache[27611]: ==> Consul agent running!
Jul 26 05:44:23 a default-apache[27611]: Waiting for consul agent to be running
Jul 26 05:44:25 a default-apache[27611]:     2019/07/26 08:44:25 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:47336
Jul 26 05:44:25 a default-apache[27611]: Waiting for consul agent to be running
Jul 26 05:44:26 a default-apache[27611]:     2019/07/26 08:44:26 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:47338
Jul 26 05:44:26 a default-apache[27611]: Waiting for consul agent to be running
Jul 26 05:44:27 a default-apache[27611]:     2019/07/26 08:44:27 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:47340
Jul 26 05:44:27 a default-apache[27611]: Waiting for consul agent to be running
Jul 26 05:44:28 a default-apache[27611]:     2019/07/26 08:44:28 [ERR] http: Request GET /v1/agent/self, error: Permission denied from=127.0.0.1:47342
Jul 26 05:44:28 a default-apache[27611]: Waiting for consul agent to be running

Any idea what I’m missing?

Just to add, with this configuration I’m able to create consul cluster (connecting 3 servers without any problems). Only when I try to connect in client mode I’m unable to do that

Found the issue
start command was missing the -join option, strange is that in previous version which was used (1.2.2) it worked without that option

That will do it. You don’t need to provide the cli options if reconnecting to an existing cluster as the current membership is snapshotted to disk.

Also if you start it up and are unjoined to a cluster you could use the consul join command to do the joining.

The permission denied errors are probably because the client in a disconnected state cannot resolve ACL tokens. If you were to configure the acl.tokens.agent_master token then that can be used to perform operations against the Agent APIs (v1/agent/*) when in a disconnected state.