X509: certificate signed by unknown authority on HCP

chris.lewis · September 23, 2022, 4:46pm

I’m trying to connect a consul client to my HCP Consul server and receive the following certificate error when the client tries to login.

X509: certificate signed by unknown authority on Consul client

I’m deploying on AWS ECS, with Terraform and using v0.5.1 of the mesh-task module.

I’ve been following instructions from this guide -Serverless Consul service mesh with ECS and HCP | Consul - HashiCorp Learn.

Passing the downloaded ca.pem file via secretsmanager as suggested.

Any ideas what might be the issue?

Do I need to manually install the root CA cert into the consul container image?

pglass · September 26, 2022, 7:31pm

Hi,

The tutorial uses Consul ECS v0.2. With Consul ECS v0.5, there are slightly different inputs compared to v0.2. You should double check the configuration is in line with the current documentation.

In particular:

Pass the consul_http_addr input variable to mesh-task. For example, consul_http_addr = hcp_consul_cluster.example.consul_private_endpoint_url.
Remove the consul_client_token_secret_arn and acl_secret_name_prefix input variables, which were removed in Consul ECS v0.5.
When using HCP Consul servers, you should not need to set the consul_https_ca_cert_arn. The certificate presented by HCP Consul for HTTPS should be trusted by your system.

Let me know if that helps, and thanks for your patience until we update our tutorials.