Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connect: certificate chain to contain root cert #6613

Closed
yuval-k opened this issue Oct 10, 2019 · 4 comments
Closed

connect: certificate chain to contain root cert #6613

yuval-k opened this issue Oct 10, 2019 · 4 comments
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies

Comments

@yuval-k
Copy link

yuval-k commented Oct 10, 2019

I'm trying to establish trust between a consul connect cluster and a kube cluster.
I'm setting the root-cert in consul connect, and trying to send requests from outside the cluster.

The request are being rejected by the client in the kube cluster - it complains that the CA is invalid. I believe that the reason is that consul doesn't set the cert chain correctly.

in the config dump of the envoy sidecar in consul (i.e. connect envoy -sidecar-for), i see:

      "filter_chains": [
       {
        "tls_context": {
         "common_tls_context": {
          "tls_params": {},
          "tls_certificates": [
           {
            "certificate_chain": {
             "inline_string": "-----BEGIN CERTIFICATE-----\nMIICijCCAjGgAwIBAgIBCDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xOTEwMDgwMzUwNTRaFw0xOTEwMTEwMzUwNTRaMBAxDjAMBgNVBAMT\nBXNvY2F0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERVohXsxeMMEjfCBQwq4x\nHNjEBlVmzm6J6Iih+ETqKBROg7PtZ4hBSgV/UsszCsNPFQDBVlnkmYMuth9IObHv\nbqOCAXQwggFwMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI\nKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfODA6YTE6ZWE6YmM6ZGE6\nNzk6MDU6ZWU6MmI6ZWI6NDc6YzQ6ZTI6MzA6MTA6MDM6MzE6OTA6YmM6YWE6MDU6\nZjY6ODc6M2E6NmY6Yjc6NGU6OTQ6OGM6YTY6NTU6MjEwagYDVR0jBGMwYYBfODA6\nYTE6ZWE6YmM6ZGE6Nzk6MDU6ZWU6MmI6ZWI6NDc6YzQ6ZTI6MzA6MTA6MDM6MzE6\nOTA6YmM6YWE6MDU6ZjY6ODc6M2E6NmY6Yjc6NGU6OTQ6OGM6YTY6NTU6MjEwWwYD\nVR0RBFQwUoZQc3BpZmZlOi8vZjZhYzU5ZGYtMzhmMC1lNzA1LTI5NmUtODc4Y2I4\nNWE5YmNkLmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvc29jYXQwCgYIKoZI\nzj0EAwIDRwAwRAIgY1htgFRBZV1Z7cz0Uxf/Pz38Vpi5VxEiMeCFlnF2ItMCIBri\nO/UnN00Hs71VJuZvlGp1voY/ceQjri7KxxqjOD4F\n-----END CERTIFICATE-----\n"
            },
            "private_key": {
             "inline_string": "-----BEGIN EC PRIVATE KEY-----\...==\n-----END EC PRIVATE KEY-----\n"
            }
           }
          ],
          "validation_context": {
           "trusted_ca": {
            "inline_string": "-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUTzDrByrh9HABSLVCb+G1bGe+3swwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkxMDA3\nMTkyOTAzWhcNMjkxMDA0MTkyOTAzWjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK1wP95w\nj1E+K20Lf3gthtgzMxTqxYl9PtUm50eLCcX8xeqSAZuP4jTVnF/9Xul2KYG+gK3g\n/I2eYR9/kWitdccxzWa5SaGOaTTb72nWcfpsuSJCp8t5fm3ymrsNCSfFrbERK8M+\njc4z7AtoHYGhTj8Pp1o51El1qcb0Rh9NXc2xfbFCoYpC1FVDxA6EWd5PekU5O6C3\nGGi+l3RQ5yxRTaQAy3EYtP7c/4wEd35QiWaxMk/fDmyQex+jj3HuhMPMWBMs/WNz\ntWtGxLz17R8LSea5+Z4r45PVNOWfBKg/FDyK0+e3yf1qAB5E19g+vUGp5tEHFkC2\nLaJWHw204/tgyq2k4KsnODxqISwuD3XbsM4uCPCGP2G0Le1OGvnW+2f31MhB5/WU\nMb09quM9X+eN588UyXL3j1PHpn1dwiedTIthHyW2jM9iV4eszyrhDirImgwsrPih\nq36Svi/Qz9uxUE4Yojz+ORe+WELlx2mYj1DeRI7re/P+V8FmuZ7nRJNqKTzHFdgH\n+YVGWWcVsLXGdNXaYslkf/X7TMdIiuAS7AcPGiCkT4WUzQ9qCaUhm+I7w0fImq1J\nHDgtFdmlzXsLfDtwNuKAr+X/W+wSq4GxAIZK1umdg4+p5RTrkvikmFcTgk9FfyoR\nW5bDOt+uw64ElkKRF1yU0gh+Uyxzx8XXtbthAgMBAAGjQjBAMB0GA1UdDgQWBBS0\nCbO8ykrJJaZ4N0h7yqZOxtldljAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAmcdgLzsiLJgZ3WmzZN/V28cok14wVprE\nC+JhIEyWPXFDSE3+COm89wKGxVxZcqfdj1Mi8ufoUSKtHxs/F78QFNVcbTVIGxKH\nYv6Enum58qtCKQErYZ9fhbDrHINaedgTg0qCzu8CmwY+WAQH6KydBL/1hXOQIcC+\ntwxTWXU3mdXzMwFJ96n4AHC1XFFghKOJC18iE9lAWHRL662yy26m8ZhAG6Ug2n9O\nwDo1wr1Qj5pvFFNcErrYVBZjsTKR7209RgR54ux1I0BG7rVo9E2V+GY9U/YRQ5YH\nuudo1VclEamUHaO64V0VdGdswYm3Rf4uzQjB528WFW4RbxPjoyMfh02j8QmmQUb7\nwkxdg6hv7PdhjqgFaxUOfzRDMgQ4IoQqxZMvWRei88OQpXUYzlNx5NBdj1259qzz\nwehFqPE55lJKUsC3P3U8osvU5HQodeIKXUi0XCFJu1UdyxMw15l9KsWjol0FuWYH\njLny/3TmpQFtMBOT7ovHh/O6UC+vxRBIkHtZVZJ0bcBatUxEyLJF9qE2o+0C28pc\nMbrNusptW6cKtyjmEClgQy949/LvHYVckctILit1f7ugB3YIkHNcvCIxl0syN3N4\nrZi+s5xsJnuWOV9O81Y98WuTD5thcKwfQEIHYkWbkcsy/ECwvGVeTg6uQY9Vuu1E\n4WchALFZNUQ=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIICWjCCAf+gAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xOTEwMDgwMzUxNTRaFw0yOTEwMDgwMzUxNTRaMBYxFDASBgNVBAMT\nC0NvbnN1bCBDQSA3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjwu2kzuJrr1k\nuEhkTaxCwGBs0ZnYJMikwi7cAQXf7cDpKEfl27eB3WlABdn4vHuYmw+OSW45BCd0\n01/JivIjMKOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/\nMGgGA1UdDgRhBF84MDphMTplYTpiYzpkYTo3OTowNTplZToyYjplYjo0NzpjNDpl\nMjozMDoxMDowMzozMTo5MDpiYzphYTowNTpmNjo4NzozYTo2ZjpiNzo0ZTo5NDo4\nYzphNjo1NToyMTBqBgNVHSMEYzBhgF84MDphMTplYTpiYzpkYTo3OTowNTplZToy\nYjplYjo0NzpjNDplMjozMDoxMDowMzozMTo5MDpiYzphYTowNTpmNjo4NzozYTo2\nZjpiNzo0ZTo5NDo4YzphNjo1NToyMTA/BgNVHREEODA2hjRzcGlmZmU6Ly9mNmFj\nNTlkZi0zOGYwLWU3MDUtMjk2ZS04NzhjYjg1YTliY2QuY29uc3VsMAoGCCqGSM49\nBAMCA0kAMEYCIQCGy0Uorj6CjpwwNgR23OrnXSlmZt7hA5RPoNhPyAqehAIhAOeS\nSMtlnj4jBkBPIoONWgQI51ItqiRrqqWdLdq30jdg\n-----END CERTIFICATE-----\n"
           }
          }
         },
         "require_client_certificate": true
        },

Note that: the certificate_chain contain only the leaf certificate, and trusted_ca contains the root and intermediary cert.

I would expect that the certificate_chain to contain the certs up to the root, and that the trusted_ca would only contain the root cert, like so:

      "filter_chains": [
       {
        "tls_context": {
         "common_tls_context": {
          "tls_params": {},
          "tls_certificates": [
           {
            "certificate_chain": {
             "inline_string": "-----BEGIN CERTIFICATE-----\nMIICijCCAjGgAwIBAgIBCDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xOTEwMDgwMzUwNTRaFw0xOTEwMTEwMzUwNTRaMBAxDjAMBgNVBAMT\nBXNvY2F0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERVohXsxeMMEjfCBQwq4x\nHNjEBlVmzm6J6Iih+ETqKBROg7PtZ4hBSgV/UsszCsNPFQDBVlnkmYMuth9IObHv\nbqOCAXQwggFwMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI\nKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfODA6YTE6ZWE6YmM6ZGE6\nNzk6MDU6ZWU6MmI6ZWI6NDc6YzQ6ZTI6MzA6MTA6MDM6MzE6OTA6YmM6YWE6MDU6\nZjY6ODc6M2E6NmY6Yjc6NGU6OTQ6OGM6YTY6NTU6MjEwagYDVR0jBGMwYYBfODA6\nYTE6ZWE6YmM6ZGE6Nzk6MDU6ZWU6MmI6ZWI6NDc6YzQ6ZTI6MzA6MTA6MDM6MzE6\nOTA6YmM6YWE6MDU6ZjY6ODc6M2E6NmY6Yjc6NGU6OTQ6OGM6YTY6NTU6MjEwWwYD\nVR0RBFQwUoZQc3BpZmZlOi8vZjZhYzU5ZGYtMzhmMC1lNzA1LTI5NmUtODc4Y2I4\nNWE5YmNkLmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvc29jYXQwCgYIKoZI\nzj0EAwIDRwAwRAIgY1htgFRBZV1Z7cz0Uxf/Pz38Vpi5VxEiMeCFlnF2ItMCIBri\nO/UnN00Hs71VJuZvlGp1voY/ceQjri7KxxqjOD4F\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIICWjCCAf+gAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xOTEwMDgwMzUxNTRaFw0yOTEwMDgwMzUxNTRaMBYxFDASBgNVBAMT\nC0NvbnN1bCBDQSA3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjwu2kzuJrr1k\nuEhkTaxCwGBs0ZnYJMikwi7cAQXf7cDpKEfl27eB3WlABdn4vHuYmw+OSW45BCd0\n01/JivIjMKOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/\nMGgGA1UdDgRhBF84MDphMTplYTpiYzpkYTo3OTowNTplZToyYjplYjo0NzpjNDpl\nMjozMDoxMDowMzozMTo5MDpiYzphYTowNTpmNjo4NzozYTo2ZjpiNzo0ZTo5NDo4\nYzphNjo1NToyMTBqBgNVHSMEYzBhgF84MDphMTplYTpiYzpkYTo3OTowNTplZToy\nYjplYjo0NzpjNDplMjozMDoxMDowMzozMTo5MDpiYzphYTowNTpmNjo4NzozYTo2\nZjpiNzo0ZTo5NDo4YzphNjo1NToyMTA/BgNVHREEODA2hjRzcGlmZmU6Ly9mNmFj\nNTlkZi0zOGYwLWU3MDUtMjk2ZS04NzhjYjg1YTliY2QuY29uc3VsMAoGCCqGSM49\nBAMCA0kAMEYCIQCGy0Uorj6CjpwwNgR23OrnXSlmZt7hA5RPoNhPyAqehAIhAOeS\nSMtlnj4jBkBPIoONWgQI51ItqiRrqqWdLdq30jdg\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUTzDrByrh9HABSLVCb+G1bGe+3swwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkxMDA3\nMTkyOTAzWhcNMjkxMDA0MTkyOTAzWjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK1wP95w\nj1E+K20Lf3gthtgzMxTqxYl9PtUm50eLCcX8xeqSAZuP4jTVnF/9Xul2KYG+gK3g\n/I2eYR9/kWitdccxzWa5SaGOaTTb72nWcfpsuSJCp8t5fm3ymrsNCSfFrbERK8M+\njc4z7AtoHYGhTj8Pp1o51El1qcb0Rh9NXc2xfbFCoYpC1FVDxA6EWd5PekU5O6C3\nGGi+l3RQ5yxRTaQAy3EYtP7c/4wEd35QiWaxMk/fDmyQex+jj3HuhMPMWBMs/WNz\ntWtGxLz17R8LSea5+Z4r45PVNOWfBKg/FDyK0+e3yf1qAB5E19g+vUGp5tEHFkC2\nLaJWHw204/tgyq2k4KsnODxqISwuD3XbsM4uCPCGP2G0Le1OGvnW+2f31MhB5/WU\nMb09quM9X+eN588UyXL3j1PHpn1dwiedTIthHyW2jM9iV4eszyrhDirImgwsrPih\nq36Svi/Qz9uxUE4Yojz+ORe+WELlx2mYj1DeRI7re/P+V8FmuZ7nRJNqKTzHFdgH\n+YVGWWcVsLXGdNXaYslkf/X7TMdIiuAS7AcPGiCkT4WUzQ9qCaUhm+I7w0fImq1J\nHDgtFdmlzXsLfDtwNuKAr+X/W+wSq4GxAIZK1umdg4+p5RTrkvikmFcTgk9FfyoR\nW5bDOt+uw64ElkKRF1yU0gh+Uyxzx8XXtbthAgMBAAGjQjBAMB0GA1UdDgQWBBS0\nCbO8ykrJJaZ4N0h7yqZOxtldljAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAmcdgLzsiLJgZ3WmzZN/V28cok14wVprE\nC+JhIEyWPXFDSE3+COm89wKGxVxZcqfdj1Mi8ufoUSKtHxs/F78QFNVcbTVIGxKH\nYv6Enum58qtCKQErYZ9fhbDrHINaedgTg0qCzu8CmwY+WAQH6KydBL/1hXOQIcC+\ntwxTWXU3mdXzMwFJ96n4AHC1XFFghKOJC18iE9lAWHRL662yy26m8ZhAG6Ug2n9O\nwDo1wr1Qj5pvFFNcErrYVBZjsTKR7209RgR54ux1I0BG7rVo9E2V+GY9U/YRQ5YH\nuudo1VclEamUHaO64V0VdGdswYm3Rf4uzQjB528WFW4RbxPjoyMfh02j8QmmQUb7\nwkxdg6hv7PdhjqgFaxUOfzRDMgQ4IoQqxZMvWRei88OQpXUYzlNx5NBdj1259qzz\nwehFqPE55lJKUsC3P3U8osvU5HQodeIKXUi0XCFJu1UdyxMw15l9KsWjol0FuWYH\njLny/3TmpQFtMBOT7ovHh/O6UC+vxRBIkHtZVZJ0bcBatUxEyLJF9qE2o+0C28pc\nMbrNusptW6cKtyjmEClgQy949/LvHYVckctILit1f7ugB3YIkHNcvCIxl0syN3N4\nrZi+s5xsJnuWOV9O81Y98WuTD5thcKwfQEIHYkWbkcsy/ECwvGVeTg6uQY9Vuu1E\n4WchALFZNUQ=\n-----END CERTIFICATE-----\n"
            },
            "private_key": {
             "inline_string": "-----BEGIN EC PRIVATE KEY-----\...==\n-----END EC PRIVATE KEY-----\n"
            }
           }
          ],
          "validation_context": {
           "trusted_ca": {
            "inline_string": "-----BEGIN CERTIFICATE-----\nMIIFFDCCAvygAwIBAgIUTzDrByrh9HABSLVCb+G1bGe+3swwDQYJKoZIhvcNAQEL\nBQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTkxMDA3\nMTkyOTAzWhcNMjkxMDA0MTkyOTAzWjAiMQ4wDAYDVQQKDAVJc3RpbzEQMA4GA1UE\nAwwHUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK1wP95w\nj1E+K20Lf3gthtgzMxTqxYl9PtUm50eLCcX8xeqSAZuP4jTVnF/9Xul2KYG+gK3g\n/I2eYR9/kWitdccxzWa5SaGOaTTb72nWcfpsuSJCp8t5fm3ymrsNCSfFrbERK8M+\njc4z7AtoHYGhTj8Pp1o51El1qcb0Rh9NXc2xfbFCoYpC1FVDxA6EWd5PekU5O6C3\nGGi+l3RQ5yxRTaQAy3EYtP7c/4wEd35QiWaxMk/fDmyQex+jj3HuhMPMWBMs/WNz\ntWtGxLz17R8LSea5+Z4r45PVNOWfBKg/FDyK0+e3yf1qAB5E19g+vUGp5tEHFkC2\nLaJWHw204/tgyq2k4KsnODxqISwuD3XbsM4uCPCGP2G0Le1OGvnW+2f31MhB5/WU\nMb09quM9X+eN588UyXL3j1PHpn1dwiedTIthHyW2jM9iV4eszyrhDirImgwsrPih\nq36Svi/Qz9uxUE4Yojz+ORe+WELlx2mYj1DeRI7re/P+V8FmuZ7nRJNqKTzHFdgH\n+YVGWWcVsLXGdNXaYslkf/X7TMdIiuAS7AcPGiCkT4WUzQ9qCaUhm+I7w0fImq1J\nHDgtFdmlzXsLfDtwNuKAr+X/W+wSq4GxAIZK1umdg4+p5RTrkvikmFcTgk9FfyoR\nW5bDOt+uw64ElkKRF1yU0gh+Uyxzx8XXtbthAgMBAAGjQjBAMB0GA1UdDgQWBBS0\nCbO8ykrJJaZ4N0h7yqZOxtldljAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE\nAwIC5DANBgkqhkiG9w0BAQsFAAOCAgEAmcdgLzsiLJgZ3WmzZN/V28cok14wVprE\nC+JhIEyWPXFDSE3+COm89wKGxVxZcqfdj1Mi8ufoUSKtHxs/F78QFNVcbTVIGxKH\nYv6Enum58qtCKQErYZ9fhbDrHINaedgTg0qCzu8CmwY+WAQH6KydBL/1hXOQIcC+\ntwxTWXU3mdXzMwFJ96n4AHC1XFFghKOJC18iE9lAWHRL662yy26m8ZhAG6Ug2n9O\nwDo1wr1Qj5pvFFNcErrYVBZjsTKR7209RgR54ux1I0BG7rVo9E2V+GY9U/YRQ5YH\nuudo1VclEamUHaO64V0VdGdswYm3Rf4uzQjB528WFW4RbxPjoyMfh02j8QmmQUb7\nwkxdg6hv7PdhjqgFaxUOfzRDMgQ4IoQqxZMvWRei88OQpXUYzlNx5NBdj1259qzz\nwehFqPE55lJKUsC3P3U8osvU5HQodeIKXUi0XCFJu1UdyxMw15l9KsWjol0FuWYH\njLny/3TmpQFtMBOT7ovHh/O6UC+vxRBIkHtZVZJ0bcBatUxEyLJF9qE2o+0C28pc\nMbrNusptW6cKtyjmEClgQy949/LvHYVckctILit1f7ugB3YIkHNcvCIxl0syN3N4\nrZi+s5xsJnuWOV9O81Y98WuTD5thcKwfQEIHYkWbkcsy/ECwvGVeTg6uQY9Vuu1E\n4WchALFZNUQ=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIICWjCCAf+gAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtDb25zdWwg\nQ0EgNzAeFw0xOTEwMDgwMzUxNTRaFw0yOTEwMDgwMzUxNTRaMBYxFDASBgNVBAMT\nC0NvbnN1bCBDQSA3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjwu2kzuJrr1k\nuEhkTaxCwGBs0ZnYJMikwi7cAQXf7cDpKEfl27eB3WlABdn4vHuYmw+OSW45BCd0\n01/JivIjMKOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/\nMGgGA1UdDgRhBF84MDphMTplYTpiYzpkYTo3OTowNTplZToyYjplYjo0NzpjNDpl\nMjozMDoxMDowMzozMTo5MDpiYzphYTowNTpmNjo4NzozYTo2ZjpiNzo0ZTo5NDo4\nYzphNjo1NToyMTBqBgNVHSMEYzBhgF84MDphMTplYTpiYzpkYTo3OTowNTplZToy\nYjplYjo0NzpjNDplMjozMDoxMDowMzozMTo5MDpiYzphYTowNTpmNjo4NzozYTo2\nZjpiNzo0ZTo5NDo4YzphNjo1NToyMTA/BgNVHREEODA2hjRzcGlmZmU6Ly9mNmFj\nNTlkZi0zOGYwLWU3MDUtMjk2ZS04NzhjYjg1YTliY2QuY29uc3VsMAoGCCqGSM49\nBAMCA0kAMEYCIQCGy0Uorj6CjpwwNgR23OrnXSlmZt7hA5RPoNhPyAqehAIhAOeS\nSMtlnj4jBkBPIoONWgQI51ItqiRrqqWdLdq30jdg\n-----END CERTIFICATE-----\n"
           }
          }
         },
         "require_client_certificate": true
        },

What is the reason for the current design? Would you consider the suggested change reasonable?

Consul info for both Client and Server

Server \ Client info 
agent:
	check_monitors = 0
	check_ttls = 0
	checks = 2
	services = 2
build:
	prerelease = 
	revision = 9be6dfc3
	version = 1.6.1
consul:
	acl = disabled
	bootstrap = false
	known_datacenters = 1
	leader = true
	leader_addr = 127.0.0.1:8300
	server = true
raft:
	applied_index = 9938
	commit_index = 9938
	fsm_pending = 0
	last_contact = 0
	last_log_index = 9938
	last_log_term = 2
	last_snapshot_index = 0
	last_snapshot_term = 0
	latest_configuration = [{Suffrage:Voter ID:61070654-f8e9-d115-45c5-3d8dae8e57ae Address:127.0.0.1:8300}]
	latest_configuration_index = 1
	num_peers = 0
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Leader
	term = 2
runtime:
	arch = amd64
	cpu_count = 4
	goroutines = 335
	max_procs = 4
	os = linux
	version = go1.12.1
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 1
	event_time = 2
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1
serf_wan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1
@schristoff schristoff added the theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies label Oct 29, 2019
@stale
Copy link

stale bot commented Dec 28, 2019

Hey there,
We wanted to check in on this request since it has been inactive for at least 60 days.
If you think this is still an important issue in the latest version of Consul
or its documentation please reply with a comment here which will cause it to stay open for investigation.
If there is still no activity on this issue for 30 more days, we will go ahead and close it.

Feel free to check out the community forum as well!
Thank you!

@stale stale bot added the waiting-reply Waiting on response from Original Poster or another individual in the thread label Dec 28, 2019
@yuval-k
Copy link
Author

yuval-k commented Jan 6, 2020

i believe it is; nothing in the change log seems to indicate otherwise.

@stale stale bot removed the waiting-reply Waiting on response from Original Poster or another individual in the thread label Jan 6, 2020
@dnephin dnephin mentioned this issue Dec 10, 2021
Closed
@dnephin
Copy link
Contributor

dnephin commented Dec 10, 2021

Thank you for opening this issue! I created #11598 which I believe describes a way to solve this problem.

@kisunji
Copy link
Contributor

kisunji commented Mar 22, 2023

Closed by #11910

@kisunji kisunji closed this as completed Mar 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yuval-k @dnephin @schristoff @kisunji