Introduction
Consul supports using TLS to verify the authenticity of servers and clients. To enable this, Consul requires that all clients and servers have key pairs that are generated by a single Certificate Authority. This can be a private CA, used only internally. The CA then signs keys for each of the agents.
Use Case
All certificates have an expiry date upon which need to be updated with the valid certificate.
Procedure
Step 1
Generate the new keys/certs and set the ca_file/ca_path, cert_file, and key_file settings in the configuration for each agent. Make sure verify_outgoing
and verify_incoming
options are set to false.
Step 2
Perform a rolling restart of each agent in the cluster, starting with non-leader server agents, the leader node server agent, and finally client agents. After this step, TLS should be enabled everywhere but the agents will not yet be enforcing TLS.
Step3(optional)
Ensure that Vault config is pointing to the correct ca_file
, cert_file
, and key_file
(in case the certs file name has changed):
storage "consul" {
scheme = "https"
address = "<address>:8501"
tls_ca_file = "<ca-file-location>"
tls_cert_file = "<cert-file-location>"
tls_key_file = "<key-file-location>"
}
Please note that it is not necessary to include the above TLS settings in Vault config if Vault is not communicating with Consul over HTTPS.
Step4
Change verify_incoming
and verify_outgoing
settings (as well as verify_server_hostname
if applicable) to true
or the value it was to initially prior to Step 1.