Hello,
I’ve some troubles connecting Consul from Vault and cannot be sure which certificates must be used to connect Consul.
consul-server-cert
consul-ca-key
consul-ca-cert
When I check root certificate in Consul, I am not able to see the same cert in any Kubernetes secret.
kubectl exec consul-consul-server-0 -n consul -- curl -sk https://localhost:8501/v1/connect/ca/roots | jq -r .Roots[0].RootCert)
I am so confused, please advise.
Thank & Regards
You’re confusing multiple different things. CA is the list of CAs that are trusted within Consul for outbound connections.
When vault tries to setup a TLS connection to Consul, then all it needs to know is that there is a valid certificate on the other end. As long as the CA that is used to generate the certificate in the “listen” block is a trusted certificate, and that the certificate includes the proper hostname, fqdn, SANs of the consul server that you defined in your vault storage block then it’ll work.
@aram thanks for your reply
how can I check or how can I be sure Vault can or cannot connect to Consul?
Start vault, if it can’t connect you won’t be able to start it up or initialize it.
vault status shows you what the configuration of the backend storage is.
@aram I had some progress…
yesterday I was able to enable tls_skip_verify and Vault connected to Consul.
it’s ok.
Next step, I removed tls_skip_verify and now I’m at the same point. Vault cannot connect to tls enabled Consul.
NAME TYPE DATA AGE
consul-consul-acl-replication-acl-token Opaque 1 9h
consul-consul-bootstrap-acl-token Opaque 1 9h
consul-consul-ca-cert Opaque 1 9h
consul-consul-ca-key Opaque 1 9h
consul-consul-client-acl-token Opaque 1 9h
consul-consul-client-token-4tbv6 kubernetes.io/service-account-token 3 9h
consul-consul-gossip-encryption-autogenerate-token-pwhtg kubernetes.io/service-account-token 3 9h
consul-consul-gossip-encryption-key Opaque 1 9h
consul-consul-server-acl-init-cleanup-token-zpgtw kubernetes.io/service-account-token 3 9h
consul-consul-server-acl-init-token-9wk6s kubernetes.io/service-account-token 3 9h
consul-consul-server-cert kubernetes.io/tls 2 9h
consul-consul-server-token-42szp kubernetes.io/service-account-token 3 9h
consul-consul-tls-init-token-49wt4 kubernetes.io/service-account-token 3 9h
default-token-52xgx kubernetes.io/service-account-token 3 9h
sh.helm.release.v1.consul.v1 helm.sh/release.v1 1 9h
The secrets of Consul are above.
I use following secrets with/without consul-consul-server-cert, Vault cannot connect to tls enabled Consule securely.
tls_ca_file = "/vault/userconfig/consul-consul-ca-cert/tls.crt"
tls_key_file = "/vault/userconfig/consul-consul-ca-key/tls.key"
tls_cert_file = "/vault/userconfig/consul-consul-server-cert/tls.crt"
The question is that which certificates must be used to tls enabled Consul by Vault? Which certificates are the correct certificates to connect tls enabled Consul? 
Thanks & Best Regards
Hello @ishustava @ishustava1
Reagarding the discussion here, which certificate is the correct certificate to connect Consul from Vault?
That one;
kubectl create secret generic consul-client-ca --from-literal=ca="$(kubectl exec consul-server-0 -- curl -sk https://localhost:8501/v1/connect/ca/roots | jq -r .Roots[0].RootCert)"
or that one?
consul-consul-ca-cert/tls.crt
Also please check following dialogs:
Could you please advise how to connect tls enabled Consul from Vault securely by a reasonable way?
Thanks & Regards
Hey @tirelibirefe
The answer would depend on whether you’re enabling autoEncrypt. If you are, then you need to first one you’ve mentioned. If not, then you need the second one.
