Weird CA constraint in TLS modules #22215
Description
Overview of the Issue
I can't find any valuable reason to put the CA constraints into TLS modules
Now I can't generate valid certificates for Consul, even if they are valid for Vault
Can you explain me?
Reproduction Steps
I created a bunch of unique certs by Vault PKI, official tutorial: https://developer.hashicorp.com/vault/tutorials/pki/pki-engine?variants=vault-deploy%3Aselfhosted#step-4-request-certificates
Full hcl config
acl {
enabled = true
}
datacenter = "dc1"
data_dir = "/opt/consul"
log_level = "debug"
bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.20.30.0/24\" | attr \"address\" }}"
client_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.20.30.0/24\" | attr \"address\" }}"
server = true
bootstrap_expect = 3
retry_join = [
"10.20.30.93",
"10.20.30.13",
]
ports {
grpc_tls = 8505
https = 8501
}
connect {
enabled = true
}
node_name = "1f5350"
ca_file = "/opt/consul/tls/ca.pem"
cert_file = "/opt/consul/tls/server.pem"
key_file = "/opt/consul/tls/server-key.pem"
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
Logs from server node:
Mar 09 23:15:48 ubuntu consul[86945]: 2025-03-09T23:15:48.394Z [WARN] agent: error getting server health from server: server=1f5350 error="rpc error getting client: failed to get conn: tls: failed to verify certificate: x509: certificate signed by unknown authority"