The information contained in this article has been verified as up-to-date on the date of the original publication of the article. HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.
All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.
Purpose
This article talks about tips on disabling TLS in production scenarios with zero downtime. Consul uses TLS to verify the authenticity of servers and clients, disabling TLS should be a multi-staged approach.
Procedure
-
Locate your consul Server config file and Set
verify_incomingtofalseand Perform a rolling restart by restarting the follower and finally the leader. The leader should be restarted last, to avoid downtime. -
Locate your consul Client config file and Set
verify_incomingtofalseand perform a rolling restart of the clients.- Check the server logs to see if the clients have joined successfully.
-
The next step is to Set
verify_outgoingandverify_server_hostnametofalseon the consul Server config file and Perform a rolling restart by restarting the follower and finally the leader. The leader should be restarted last, to avoid downtime.- Note: On the client, you will see RPC related
WARN, this should go away once you perform Step 4
- Note: On the client, you will see RPC related
-
Follow up on the Consul client config file by setting
verify_outgoingandverify_server_hostnametofalseand perform a rolling restart of the clients.- Check the server logs to see if the clients have joined successfully.
-
On the Server remove the
verify_incoming,verify_outgoing,verify_server_hostname, and certificate-related configs and perform a rolling restart of the followers first and finally leader.- Note: On the client, you will see RPC related, this should go away once you perform Step 6.
-
Finally, from the Client remove the
verify_incoming,verify_outgoing,verify_server_hostname, and certificate-related configs and perform a rolling restart of the clients.- Check the server logs to see if the clients have joined successfully.
Additional Information
The verify_incoming is for the servers to verify the authenticity of all incoming connections. All clients must have a valid key pair set using cert_file and key_file. Servers will also disallow any non-TLS connections.
The verify_outgoing is for the servers to verify the authenticity of the Consul for outgoing connections. Server nodes must present a certificate signed by a common certificate authority present on all agents, set via the agents ca_file and ca_path options. All server nodes must have an appropriate key pair set using cert_file and key_file.
The verify_server_hostname is for the servers to perform hostname verification. All servers must have a certificate valid server.<datacenter>.<domain> or the client will reject the handshake. This is a new configuration as of 0.5.1, and it is used to prevent a compromised client from being able to restart in server mode and perform a MITM (Man-In-The-Middle) attack.