Which certificates/secrets are used to connect Consul from Vault?

I’ve some troubles connecting Consul from Vault and cannot be sure which certificates must be used to connect Consul.


When I check root certificate in Consul, I am not able to see the same cert in any Kubernetes secret.

kubectl exec consul-consul-server-0 -n consul -- curl -sk https://localhost:8501/v1/connect/ca/roots | jq -r .Roots[0].RootCert)

I am so confused, please advise.

Thank & Regards

You’re confusing multiple different things. CA is the list of CAs that are trusted within Consul for outbound connections.

When vault tries to setup a TLS connection to Consul, then all it needs to know is that there is a valid certificate on the other end. As long as the CA that is used to generate the certificate in the “listen” block is a trusted certificate, and that the certificate includes the proper hostname, fqdn, SANs of the consul server that you defined in your vault storage block then it’ll work.

@aram thanks for your reply
how can I check or how can I be sure Vault can or cannot connect to Consul?

Start vault, if it can’t connect you won’t be able to start it up or initialize it.

vault status shows you what the configuration of the backend storage is.

@aram I had some progress…

yesterday I was able to enable tls_skip_verify and Vault connected to Consul.
it’s ok.
Next step, I removed tls_skip_verify and now I’m at the same point. Vault cannot connect to tls enabled Consul.

NAME                                                       TYPE                                  DATA   AGE
consul-consul-acl-replication-acl-token                    Opaque                                1      9h
consul-consul-bootstrap-acl-token                          Opaque                                1      9h
consul-consul-ca-cert                                      Opaque                                1      9h
consul-consul-ca-key                                       Opaque                                1      9h
consul-consul-client-acl-token                             Opaque                                1      9h
consul-consul-client-token-4tbv6                           kubernetes.io/service-account-token   3      9h
consul-consul-gossip-encryption-autogenerate-token-pwhtg   kubernetes.io/service-account-token   3      9h
consul-consul-gossip-encryption-key                        Opaque                                1      9h
consul-consul-server-acl-init-cleanup-token-zpgtw          kubernetes.io/service-account-token   3      9h
consul-consul-server-acl-init-token-9wk6s                  kubernetes.io/service-account-token   3      9h
consul-consul-server-cert                                  kubernetes.io/tls                     2      9h
consul-consul-server-token-42szp                           kubernetes.io/service-account-token   3      9h
consul-consul-tls-init-token-49wt4                         kubernetes.io/service-account-token   3      9h
default-token-52xgx                                        kubernetes.io/service-account-token   3      9h
sh.helm.release.v1.consul.v1                               helm.sh/release.v1                    1      9h

The secrets of Consul are above.

I use following secrets with/without consul-consul-server-cert, Vault cannot connect to tls enabled Consule securely.

        tls_ca_file = "/vault/userconfig/consul-consul-ca-cert/tls.crt"
        tls_key_file  = "/vault/userconfig/consul-consul-ca-key/tls.key"
        tls_cert_file = "/vault/userconfig/consul-consul-server-cert/tls.crt"

The question is that which certificates must be used to tls enabled Consul by Vault? Which certificates are the correct certificates to connect tls enabled Consul? :face_with_monocle:

Thanks & Best Regards

Hello @ishustava @ishustava1
Reagarding the discussion here, which certificate is the correct certificate to connect Consul from Vault?

That one;
kubectl create secret generic consul-client-ca --from-literal=ca="$(kubectl exec consul-server-0 -- curl -sk https://localhost:8501/v1/connect/ca/roots | jq -r .Roots[0].RootCert)"

or that one?

Also please check following dialogs:

Could you please advise how to connect tls enabled Consul from Vault securely by a reasonable way?

Thanks & Regards

Hey @tirelibirefe

The answer would depend on whether you’re enabling autoEncrypt. If you are, then you need to first one you’ve mentioned. If not, then you need the second one.