Skip to main content

Hashicorp Consul - Vault Cert Management Part 2

Shen Zhen, China

Configure Consul

Consul Server

Create a directory for the certificates and configure Consul TLS using the following configuration:

mkdir -p /opt/consul/agent-certs

/etc/consul.d/client.hcl

tls {
  defaults {
    ca_file = "/opt/consul/agent-certs/ca.crt"
    cert_file = "/opt/consul/agent-certs/agent.crt"
    key_file = "/opt/consul/agent-certs/agent.key"
    verify_incoming = true
    verify_outgoing = true
  }
  internal_rpc {
    verify_server_hostname = true
  }
  https {
    verify_incoming = true
  }
}

auto_encrypt {
  allow_tls = true
}

I already created my certificates with the following command:

Careful: The official documentation uses the common_name for the default datacenter consul.dc1. I use the name consul here and have to change the variable consul.consul accordingly. Otherwise the cert verification will fail. This name will be used a couple of times in the following commands - you need to change all of them according to your setup.

vault write pki_int/issue/consul-consul common_name="server.consul.consul" ttl="24h" | tee consul_certs.txt

Use the following commands to extract the two certificates and private key from the consul_certs.txt and place them into the right file and location:

grep -Pzo "(?s)(?<=certificate)[^\-]*.*?END CERTIFICATE[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.crt
grep -Pzo "(?s)(?<=issuing_ca)[^\-]*.*?END CERTIFICATE[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/ca.crt
grep -Pzo "(?s)(?<=private_key)[^\-]*.*?END RSA PRIVATE KEY[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.key
chown -R consul:consul /opt/consul/agent-certs

Consul Minions

With auto-encryption, you can configure the Consul servers to automatically distribute certificates to the clients. To use this feature, you will need to configure clients to automatically get the certificates from the server.

mkdir -p /opt/consul/agent-certs

Configure Consul client TLS using the following configuration:

/etc/consul.d/consul.hcl

tls {
  defaults {
    verify_incoming = true
    verify_outgoing = true
    ca_file = "/opt/consul/agent-certs/ca.crt"
  }
  internal_rpc {
    verify_server_hostname = true
  }
}

auto_encrypt {
    tls = true
 }

Now we need to copy the extracted agent.crt to each node into the specified directory:

grep -Pzo "(?s)(?<=issuing_ca)[^\-]*.*?END CERTIFICATE[^\n]*\n" consul_certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/ca.crt

Cert Rotation

Now that we have our Cert Authority (CA) and configured our master and minion server to use our short-lived, self-signed CA certs we now need to implement the automatic rotation whenever the cert expires.