Introduction
Consul supports using TLS to verify the authenticity of servers and clients. To enable this, Consul requires that all clients and servers have key pairs that are generated by a single Certificate Authority. This can be a private CA, used only internally. The CA then signs keys for each of the agents.
Use Case
All certificates have an expiry date upon which need to be updated with the valid certificate. However, the process for rotating the certificates is different depending on whether the existing certificates are expired or will be expiring in near future.
Procedure
Expiring Soon
If the existing certificates are valid at the time of the rotation, the process is as follows:
Step 1
Replace the certificate and its associate key or update the path for cert_file, and key_file in all the server and client agents to point to the new certs/keys.
Step 2
Issue consul reload CLI command.
Step 3
Verify that the logs do not contain any TLS related errors after reloading the consul configuration.
Already Expired
Step 1
Generate the new certs/keys and set the cert_file, and key_file settings in the configuration for each agent.
Step 2
Perform a rolling restart of each agent in the cluster, starting with non-leader server agents, the leader node server agent, and finally client agents. After this step, TLS should be enabled everywhere across the cluster.
Step 3
Verify that the logs do not contain any TLS related errors after reloading the consul configuration.
Additional Resources
Secure Consul Agent Communication with TLS Encryption
Update Consul Agents to Securely Communicate with TLS