Troubleshooting "no filter chains specified" Error in Consul API Gateway

Avatar
Suyash Kumar
  • Updated

Introduction

This article provides detailed steps to resolve issues with the inline certificate configuration in the Consul API Gateway listener after upgrading from the OSS version to the Enterprise version of Consul.

 

Problem

When configuring a new API Gateway listener with an inline certificate, the listener fails to start due to missing Enterprise metadata fields (namespace and partition) in the certificate configuration. This issue arises because the certificate was originally configured before upgrading Consul from OSS to Enterprise.

 

Prerequisites

  • Consul Enterprise version

  • Consul API Gateway

  • Access to the Consul and Nomad environments

  • Valid TLS certificates

 

Cause

This issue occurs because the original inline certificate configuration does not include the required namespace and partition metadata fields that are specific to Consul Enterprise. Without these fields, the API Gateway listener cannot reference the certificate correctly in the Enterprise environment.

 

Error Message

The logs of the API Gateway allocation might display the following error:

error adding listener '0.0.0.0:8089': no filter chains specified

 

Overview of Possible Solutions

The issue can be resolved by creating a new inline certificate configuration with the required metadata fields and updating the API Gateway listener configuration to reference it.

 

Solutions

Solution 1: Create a New Inline Certificate Configuration

  1. Log in to the Consul environment with the privilege to create configuration entries.

  2. Create a new inline certificate configuration entry, ensuring you include the namespace and partition fields. 

    $ cat inline-cert.hcl
    Kind = "inline-certificate"
    Name = "api-gw-inline"
Namespace = "<your-namespace>"
Partition = "<your-partition>"
Certificate = "<your-certificate-data>"
PrivateKey = "<your-private-key-data>"

  3. Save the file and apply the configuration using the command - consul config write inline-cert.hcl.

Solution 2: Update the API Gateway Listener Configuration

  1. Access the API Gateway listener configuration.

  2. Update the listener to reference the newly created inline certificate

    $ cat gateway-listener.hcl
    Kind = "api-gateway"
    Name = "my-api-gateway"

    Listeners = [
      {
        Port = 8089
        Name = "new-http-listener"
        Protocol = "http"
        TLS = {
          Certificates = [
            {
               Kind = "inline-certificate"
               Name = "api-gw-inline"
            }
          ]
        }
      }
    ]

  3. Apply the changes using the command - consul config write gateway-listener.hcl.

Solution 3: Test Connectivity

  1. Check the API Gateway allocation logs to confirm the listener was successfully added. It should be look like below - 

    lds: add/update listener 'http:0.0.0.0:8089'

  2. Test connectivity to the backend service using the curl command:

    curl -k https://<api-gateway-endpoint>:8089/health

  3. Verify that the backend service responds correctly.

 

Outcome

After following the above steps:

  • The API Gateway listener should be configured correctly with the inline certificate.

  • Allocation logs should confirm successful listener addition.

  • Connectivity to the backend service should work as expected.

  • All API Gateway instances should be healthy and serving requests seamlessly.

If the issue persists, review the configuration steps or contact HashiCorp Support for further assistance.

 

Additional Information

Articles in this section

See more