-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consul Auto Encrypt: Client Certificate says "x509: certificate signed by unknown authority" #8636
Comments
Hi @blake, Can you be able to help me on this issue ? or tag someone from the consul team who might be able to help me here. Thank you soo much! |
Is there anyone, who can help respond on the issue ? |
If i generate my Custom RootCA and sign my server certs with it and use auto_encrypt feature, I see that on my client side, it gives
system clocks are synchronised as well before generating RootCA and other certificates on the nodes. |
Looks like need to generate custom Connect CA cert with the SAN set to the cluster identifier with the .consul TLD issue similar to : https://discuss.hashicorp.com/t/trouble-getting-consul-connect-and-envoy-to-work/6415 Need to work on fixing this issue. |
How to generate a custom Spiffe certificate for Consul as Connect CA ? I do not see any document around it, Any leads ? |
I see a similar issue regarding method to generate custom SPIFFE CA certificate here: #8492 Can anyone from consul team... would like to enlighten here ? |
I am able to generate SPIFFE svid signing certificates as discussed here https://discuss.hashicorp.com/t/trouble-getting-consul-connect-and-envoy-to-work/6415/28 However, regarding consuming the dynamic certs by envoy with the Auto Encrypt method still possess challenge. How will the envoy proxy pick up the dynamic client certs ? Will I need to create a separate client cert for the envoy proxy purpose ? |
Hi @ishustava, With reference to hashicorp/consul-helm#441 I already had this ticket created before. Today I tried to implement the configs as you mentioned in hashicorp/consul-helm#441 but it does not work for any combination of verify_* setting to false on clients and also on server and still gives me error as below (envoy debug logs):
It only works if I create a client cert and pass it to the command as description above even in auto-encrypt mode. You can also see similar issue here: #7926 |
Hi @ishustava Did you get a chance to look into the issue ? Will I need to create a separate client cert just for the envoy proxy purpose ? Thanks |
Hi, Thanks Marius |
Hi @ishustava, @mariusehr1, Looks like I found a way here for maintaining TLS (rpc and https) and still using auto encrypt mode without having to set verify_incoming=false . We can continue to keep verify_incoming=true for rpc and https . This is how I experimented:
|
Hi @ashwinkupatkar , I made it work indeed this way, thanks a lot. I used the following script in my entrypoint if anyone is interested its used for the web service:
|
Hi all - brief update. We'll be tracking improvements to this UX in #6791, if you are interested, please +1 |
I started with consul version 1.8.3 to try using Auto encrypt feature.on the steps mentioned in https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure and noticed an issue.
After starting the server followed by client. I see client node registered successsfully.
I wanted to use consul connect feature using envoy as the side-car.
I ran the following command
`export CONSUL_HTTP_SSL=true
export CONSUL_HTTP_ADDR=https://127.0.0.1:8501
export CONSUL_CACERT=consul-agent-ca.pem
consul connect envoy -sidecar-for [name of the service] -admin-bind localhost:19001 &`
It gave me below error :
==> Failed looking up sidecar proxy info for [name of the service]: Get "https://127.0.0.1:8501/v1/agent/services": x509: certificate signed by unknown authority
However, if i use operator method to implement TLS between server and client ( i.e manually distributing client certificates),
I do not face this issue and envoy proxy works just fine.
I checked the ca cert file present on server and client and they are identical.
I even add dns and ip san which are present in pem bundle same as when distributed through operator method.
What can be the issue ?
Consul version: 1.8.3 (both server and client)
CA: Built-In Connect CA
The text was updated successfully, but these errors were encountered: