Hashicorp Consul - Vault Cert Management Part 2
Configure Consul
Consul Server
Create a directory for the certificates and configure Consul TLS using the following configuration:
mkdir -p /opt/consul/agent-certs
/etc/consul.d/client.hcl
tls {
defaults {
ca_file = "/opt/consul/agent-certs/ca.crt"
cert_file = "/opt/consul/agent-certs/agent.crt"
key_file = "/opt/consul/agent-certs/agent.key"
verify_incoming = true
verify_outgoing = true
}
internal_rpc {
verify_server_hostname = true
}
https {
verify_incoming = true
}
}
auto_encrypt {
allow_tls = true
}
I already created my certificates with the following command:
Careful: The official documentation uses the
common_name
for the default datacenterconsul.dc1
. I use the nameconsul
here and have to change the variableconsul.consul
accordingly. Otherwise the cert verification will fail. This name will be used a couple of times in the following commands - you need to change all of them according to your setup.
vault write pki_int/issue/consul-consul common_name="server.consul.consul" ttl="24h" | tee consul_certs.txt
Use the following commands to extract the two certificates and private key from the consul_certs.txt
and place them into the right file and location:
grep -Pzo "(?s)(?<=certificate)[^\-]*.*?END CERTIFICATE[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.crt
grep -Pzo "(?s)(?<=issuing_ca)[^\-]*.*?END CERTIFICATE[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/ca.crt
grep -Pzo "(?s)(?<=private_key)[^\-]*.*?END RSA PRIVATE KEY[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.key
chown -R consul:consul /opt/consul/agent-certs
Consul Minions
With auto-encryption, you can configure the Consul servers to automatically distribute certificates to the clients. To use this feature, you will need to configure clients to automatically get the certificates from the server.
mkdir -p /opt/consul/agent-certs
Configure Consul client TLS using the following configuration:
/etc/consul.d/consul.hcl
tls {
defaults {
verify_incoming = true
verify_outgoing = true
ca_file = "/opt/consul/agent-certs/ca.crt"
}
internal_rpc {
verify_server_hostname = true
}
}
auto_encrypt {
tls = true
}
Now we need to copy the extracted agent.crt
to each node into the specified directory:
grep -Pzo "(?s)(?<=issuing_ca)[^\-]*.*?END CERTIFICATE[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/ca.crt
Cert Rotation
Now that we have our Cert Authority (CA) and configured our master and minion server to use our short-lived, self-signed CA certs we now need to implement the automatic rotation whenever the cert expires.