Secure Consul Agent Communication with TLS Encryption
Securing your datacenter with TLS encryption is an important step for production deployments. TLS configuration is also a prerequisite of our Security Model. Correctly configuring TLS can be a complex process, especially given the wide range of deployment methodologies. This tutorial will provide you with a production ready TLS configuration for RPC and consensus communication. However, you will need to secure HTTP communication for the CLI and UI separately
Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single Certificate Authority(CA). Clients should also have certificates that are authenticated with the same CA.
If you want to secure service-to-service communication with TLS, review the secure service communication tutorial.
Prerequisites
The certificate generation and distribution steps outlined in this tutorial are meant for new Consul datacenters. All the steps should be completed before you start the agent. Review the Deployment Guide if you're getting started.
If you need to enable TLS encryption on an existing datacenter, review this tutorial and then complete the update Agents to Communicate with TLS tutorial. The tutorial for the existing datacenter includes steps for a zero-downtime update of the agents.
This tutorial is structured in way that you build knowledge with every step. It is recommended to read the whole tutorial before starting with the actual work.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
Initialize the built-in CA
One of the first steps to configuring TLS for Consul is generating certificates. In order to prevent unauthorized datacenter access, Consul requires all certificates be signed by the same Certificate Authority (CA). This should be a private CA and not a public one as any certificate signed by this CA will be allowed to communicate with the datacenter.
There are a variety of tools for managing your own CA, like the PKI secret backend in Vault, but for the sake of simplicity this tutorial you will use Consul's built-in TLS helpers to create a CA. You will only need to create one CA for the datacenter. You should generate all certificates on the same node or workstation that is used to create the CA. The node or workstation should be stable, preferably not a Consul agent or a cloud server.
You can create the CA and certificates before starting Consul, as long as you have the Consul binary installed in your path.
The CA certificate, consul-agent-ca.pem
, contains the public key necessary to
validate Consul certificates and therefore must be distributed to every node
that runs a consul agent.
The CA key, consul-agent-ca-key.pem
, will be used to sign certificates for Consul
nodes and must be kept private. Possession of this key allows anyone to run Consul as
a trusted server or generate new valid certificates for the datacenter and obtain access to all Consul data, including ACL tokens.
Create the server certificates
Create a server certificate for datacenter dc1
and domain consul
, if your
datacenter or domain is different, remember to use the appropriate flags.
Repeat this process on the same node where you created the CA, until there is an individual certificate for each server. The command can be called over and over again, it will automatically increase the certificate and key numbers. You will need to distribute the certificates to the servers.
Below is an example for datacenter "dc1".
In order to authenticate Consul servers, servers are provided with a special
certificate - one that contains server.dc1.consul
in the Common Name
and in the Subject Alternative Name
. If you enable
verify_server_hostname
,
only agents that provide such certificate are allowed to boot as a server.
Without verify_server_hostname = true
an attacker could compromise a Consul
client agent and restart the agent as a server in order to get access to all the
data in your datacenter! This is why server certificates are special, and only
servers should have them provisioned.
NOTE Server keys, like the CA key, must be kept private - they effectively allow access to all Consul data.
Distribute the server certificates
After generating the server certificates, you will need to distribute them to the Consul servers and put their on-disk location in the agent configuration file.
The following files need to be copied to your Consul server:
consul-agent-ca.pem
: CA public certificate.dc1-server-consul-0.pem
: Consul server node public certificate for thedc1
datacenter.dc1-server-consul-0-key.pem
: Consul server node private key for thedc1
datacenter.
Repeat this process until all servers have these three files.
Client certificate distribution
There are two methods for distributing client certificates: auto encryption and operator. We recommend the auto-encryption method to alleviate the client certificate generation and distribution step for operators. This method uses the Connect CA to generate client certificates, which are automatically distributed to all Consul clients.
Use the operator method if you need to use a third-party CA or need more fine-grained control over certificate management. Review the Secure Agent Communication with Existing Certificate Authority tutorial for an example of using OpenSSL as a third-party CA.
This section describes the automated client certificate deployment process in Consul 1.5.2 and newer.
Configure the servers
At the beginning of this tutorial, you created the server certificates and distributed them.
To use auto-encryption to distribute the client certificates, you will need to enable the auto_encrypt
feature. Configure your
servers with the following options.
Note
Consul will load all files in the configuration directory, for the following examples, you can add the configuration
as new files. You can also add them to an existing configuration file, however, you should ensure that the syntax is valid before applying
it to the agent. You can use consul validate
to check configuration validity for
both JSON and HCL files.
Notice that in addition to the verify settings, you need to enable allow_tls
. The verify
settings ensure that all communication between servers and clients is verified. When auto_encrypt
is enabled,
verify_outgoing
is enabled by default.
Configure the clients
With auto-encryption, you can configure the Consul servers to automatically distribute certificates to the clients. To use this feature, you will need to configure clients to automatically get the certificates from the server.
Note, this method stores the certificates in memory, they are not persisted.
Configure the clients with the following options.
Start Consul
Now that you have configured your servers and clients, you can start the Consul process.
Your agents will only be communicating with TLS encryption for RPC and consensus.
Next steps
After completing this tutorial, your agents will be configured with TLS for encrypted communication. With the auto encryption method, your client certificates are managed by the server. With the operator method, you distributed all the certificates, but have a more flexible configuration.
The other prerequisites for a secure Consul deployment are gossip encryption and ACLs with default deny.
Additional TLS encryption resources
For more TLS content review our other tutorials:
Enable TLS encryption on an existing datacenter. Generate TLS certificates with OpenSSL and secure the CLI and UI communication.