Introduction
This article provides detailed steps to resolve issues with the inline certificate configuration in the Consul API Gateway listener after upgrading from the OSS version to the Enterprise version of Consul.
Problem
When configuring a new API Gateway listener with an inline certificate, the listener fails to start due to missing Enterprise metadata fields (namespace and partition) in the certificate configuration. This issue arises because the certificate was originally configured before upgrading Consul from OSS to Enterprise.
Prerequisites
-
Consul Enterprise version
-
Consul API Gateway
-
Access to the Consul and Nomad environments
-
Valid TLS certificates
Cause
This issue occurs because the original inline certificate configuration does not include the required namespace and partition metadata fields that are specific to Consul Enterprise. Without these fields, the API Gateway listener cannot reference the certificate correctly in the Enterprise environment.
Error Message
The logs of the API Gateway allocation might display the following error:
error adding listener '0.0.0.0:8089': no filter chains specified
Overview of Possible Solutions
The issue can be resolved by creating a new inline certificate configuration with the required metadata fields and updating the API Gateway listener configuration to reference it.
Solutions
Solution 1: Create a New Inline Certificate Configuration
-
Log in to the Consul environment with the privilege to create configuration entries.
-
Create a new inline certificate configuration entry, ensuring you include the namespace and partition fields.
$ cat inline-cert.hcl
Kind = "inline-certificate"
Name = "api-gw-inline" Namespace = "<your-namespace>" Partition = "<your-partition>" Certificate = "<your-certificate-data>" PrivateKey = "<your-private-key-data>" -
Save the file and apply the configuration using the command -
consul config write inline-cert.hcl
.
Solution 2: Update the API Gateway Listener Configuration
-
Access the API Gateway listener configuration.
-
Update the listener to reference the newly created inline certificate
$ cat gateway-listener.hcl
Kind = "api-gateway"
Name = "my-api-gateway"
Listeners = [
{
Port = 8089
Name = "new-http-listener"
Protocol = "http"
TLS = {
Certificates = [
{
Kind = "inline-certificate"
Name = "api-gw-inline"
}
]
}
}
] -
Apply the changes using the command -
consul config write gateway-listener.hcl
.
Solution 3: Test Connectivity
-
Check the API Gateway allocation logs to confirm the listener was successfully added. It should be look like below -
lds: add/update listener 'http:0.0.0.0:8089'
-
Test connectivity to the backend service using the
curl
command:curl -k https://<api-gateway-endpoint>:8089/health
-
Verify that the backend service responds correctly.
Outcome
After following the above steps:
-
The API Gateway listener should be configured correctly with the inline certificate.
-
Allocation logs should confirm successful listener addition.
-
Connectivity to the backend service should work as expected.
-
All API Gateway instances should be healthy and serving requests seamlessly.
If the issue persists, review the configuration steps or contact HashiCorp Support for further assistance.