Unclear instructions in deployment guide

Hi everyone.

I’m currently struggling with my first consul prod-deployment ever and some unclarities in the consul deployment guide.
My setup is about 6 nodes. 3 of that, I want to take over some central cluster service roles and being the Consul servers. The other three will be the first three “work-horses” of the platform and host the applications and be consul clients.

For the consul servers, the instructions are quite clear.
For the clients … not so much.

My plan is to use “Auto encryption”. In “Create the certificates” section it’s where it begins to be unclear to me:

  1. It says: “First, for your Consul servers, use the following command to create a certificate for each server.”. So: not for the clients, since “servers” is explicitly written.
  2. Next it says: " The Consul client agents will only need the the CA certificate, consul-agent-ca.pem , to enable mTLS.". So again: It confirms that the clients only need the CA certificate, not the DC certificates.
  3. But then, with the very next section “Distribute the certificates to agents”, it says: “You must distribute the CA certificate, consul-agent-ca.pem , to each of the Consul agents as well as the agent specific certificate and private key.”. So, from here, it says that one must copy all node specific certs in addition to the CA certificate, which is the opposite of what was explained before.
  4. This is once more confirmed in the TLS configuration - Section. Even though “Auto encryption” guide is selected, the consul.hcl snipplet lists not only ca_file, but cert_file and key_file parameters as well “for Consul clients”. The only difference between “Auto” and “Manual” seems to be the auto_encrypt nested section. Which again seems to be the opposite of the “CA cert only” statement and the entire Auto encryption idea.
  5. Regarding that auto_encrypt nexted section, the consul Security guide brings another unclear element onto the table: in Configure the clients section, it says to configure the clients by indeed setting the ca_file option only, but instead of auto_encrypt { allow_tls = true } to set auto_encrypt { tls = true } instead.

This all results in confusing me completely.
What will I have to do now, on server and client side, to embrace TLS auto encryption? The official docs seem to not be too sure themselves …

From the general Consul Configuration Reference, it seems like

auto_encrypt { allow_tls = true } is for servers
auto_encrypt { tls = true } is for clients

But this is a guess and it really should be made clear in the Deployment guide.
Can anyone confirm/decline this please?

Hi @The-Judge,

Welcome to the HashiCorp Forums!

Yes, you are right. auto_encrypt { allow_tls = true } will make Consul Server agents enable the auto-encrypt RPC endpoint and the in-built ConnectCA (if connect isn’t already enabled) for signing the certificates.

auto_encrypt { tls = true } instructs clients to reach out to the servers with a CSR, get the certificate signed, and use it for local agents.

Hi @Ranjandas ,

thanks for confirming.
This is a bit confusing in the Deployment Guide, since it first says that the consul.hcl file should contain common parameters only and put server or client related parameters in seperate files in /etc/consul.d and then this appears “mixed” in the doc, not too clearly pointing out what’s server and what’s client related.

I got it now, thank you!