Documentation
Get started
What is Consul?
Consul operations
Service networking
Enterprise solutions
Runtimes and platforms
Plugins, integrations, & extensions
Reference docs
Glossary

Enable TLS encryption for existing datacenters

This page describes how to enable TLS encryption to secure Consul agent communication. Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single certificate authority (CA). Clients should also have certificates that are authenticated with the same CA.

This page provides instructions for enabling TLS encryption for existing Consul datacenters. If you are adding TLS encryption to an new Consul datacenter, refer to Enable TLS encryption with built-in CA.

Workflow

The following steps describe the general workflow for enabling TLS encryption for existing Consul datacenters:

Generate server certificates. Generate a client certificate if you are using the operator method.
Distribute certificates, including the CA and private key files to every agent.
Configure the servers, allowing encrypted traffic. Restart each server, one at a time.
Configure the clients to communicate only with TLS Restart each client.
Reconfigure servers to only allow TLS communication. Reload each server, one at a time.

Warning

Failing to perform the steps in the following order may lead to unplanned cluster outages due to failures in authenticating RPC TLS Communication. Complete each step in its entirety before moving to the next one.

Generate the certificates

To configure TLS for Consul, you must generate the certificates. Consul requires all certificates be signed by the same CA to prevent unauthorized datacenter access. This should be a private CA and not a public one since any certificate signed by this CA can communicate with Consul.

There are many tools to manage your own CA, like Vault PKI secret backend. These instructions will use Consul's built-in TLS helpers to create a CA. You will only need to create one CA for the datacenter. You should generate all certificates on the same node or workstation that you used to create the CA. This node or workstation should be stable, preferably not a Consul agent or a cloud server.

Create the CA and certificates.

$ consul tls ca create
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem

This will generate two files:

The CA certificate, consul-agent-ca.pem, contains the public key necessary to validate Consul certificates and therefore must be distributed to every node that runs a consul agent.
The CA key, consul-agent-ca-key.pem, will be used to sign certificates for Consul nodes and must be kept private. Possession of this key allows anyone to run Consul as a trusted server or generate new valid certificates for the datacenter and obtain access to all Consul data, including ACL tokens.

Distribute the certificates

Before configuring the agents, you need to distribute the certificate and key files.

Server certificates

Distribute the following certificates and key files to each of your servers.

The CA certificate may have different names if you are not using Consul's built-in CA. The server certificate and key file should be unique for each server.

Client certificate for operator method

If you are using the operator method, you must also distribute the client certificate and key file to all your clients. Refer to operator method for more details. All clients should have the following certificates and key file.

The CA certificate may have different names if you are not using Consul's built-in CA. The client certificate and key file should be unique for each client.

Configure the servers

Now that you have created the certificates, you can enable TLS on your agents, starting with the servers.

The following example server agent configuration enable TLS. Since Consul will load all files in the configuration directory, you can add the following configuration as new files. You can also add them to an existing configuration file. Verify that the syntax is valid using consul validate.

For the auto encryption method, set auto_encrypt to true.

Consul server agent auto encrypt TLS configuration

verify_incoming = false
verify_outgoing = false
verify_server_hostname = false
ca_file = "consul-agent-ca.pem"
cert_file = "dc1-server-consul-0.pem"
key_file = "dc1-server-consul-0-key.pem"
auto_encrypt {
  allow_tls = true
}

{
  "verify_incoming": false,
  "verify_outgoing": false,
  "verify_server_hostname": false,
  "ca_file": "consul-agent-ca.pem",
  "cert_file": "dc1-server-consul-0.pem",
  "key_file": "dc1-server-consul-0-key.pem",
  "auto_encrypt": {
    "allow_tls": true
  }
}

Setting the verify options to false on the servers allows you to update all the agents without any downtime since authenticity verification is not enforced. However, leaving the verify settings as false will create an insecure configuration.

Consul server agent manual TLS configuration

verify_incoming = false
verify_outgoing = false
verify_server_hostname = false
ca_file = "consul-agent-ca.pem"
cert_file = "dc1-server-consul-0.pem"
key_file = "dc1-server-consul-0-key.pem"

{
  "verify_incoming": false,
  "verify_outgoing": false,
  "verify_server_hostname": false,
  "ca_file": "consul-agent-ca.pem",
  "cert_file": "dc1-server-consul-0.pem",
  "key_file": "dc1-server-consul-0-key.pem"
}

When you distribute client certificate, you must set the following options to false to allow existing communication to continue uninterrupted.

This will require a rolling restart on all the servers. Once you have configured your clients, you can then enable verify_incoming, verify_outgoing, and verify_server_hostname on the servers. In addition to the verify options, set the certificates and key file the agent should use.

After you have updated the server configuration, initiate a rolling restart of the servers.

Restart one server at a time and ensure it properly functions before restarting the next. Restart the leader last to avoid downtime.

$ systemctl restart consul

Configure the clients

Now that you have enabled TLS communication on the servers and distributed the certificates, you can configure the clients.

For the auto encryption method, enable auto_encrypt.

Consul client agent auto encrypt TLS configuration

verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "consul-agent-ca.pem"
auto_encrypt = {
  tls = true
}

For the operator method, configure the clients to use the operator distributed certificates and key file.

Consul client agent manual TLS configuration

verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "consul-agent-ca.pem"
cert_file = "dc1-client-consul-0.pem"
key_file = "dc1-client-consul-0-key.pem"

{
  "verify_incoming": false,
  "verify_outgoing": true,
  "verify_server_hostname": true,
  "ca_file": "consul-agent-ca.pem",
  "cert_file": "dc1-client-consul-0.pem",
  "key_file": "dc1-client-consul-0-key.pem"
}

You do not need to distribute client certificate using the auto encryption method. Consul service mesh will manage certificate distribution for you.

Restart the Consul clients

Finally, restart the clients. You only need to restart the clients once.

$ systemctl restart consul

Warning

Restarting your Consul server agents with the consul reload command may lead to an outage since this will cause the clients to lose communication to cluster server nodes. To prevent this, adjust the TLS verification settings as prescribed in the following steps.

Reconfigure and reload the servers

For the auto encryption method, update verify_incoming,verify_outgoing, and verify_server_hostname to true.

Consul server agent auto encrypt configuration

verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "consul-agent-ca.pem"
cert_file = "dc1-server-consul-0.pem"
key_file = "dc1-server-consul-0-key.pem"
auto_encrypt {
  allow_tls = true
}

{
  "verify_incoming": true,
  "verify_outgoing": true,
  "verify_server_hostname": true,
  "ca_file": "consul-agent-ca.pem",
  "cert_file": "dc1-server-consul-0.pem",
  "key_file": "dc1-server-consul-0-key.pem",
  "auto_encrypt": {
    "allow_tls": true
  }
}

For the operator method, update verify_incoming, verify_outgoing, and verify_server_hostname to true.

Consul server agent manual TLS configuration

verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "consul-agent-ca.pem"
cert_file = "dc1-server-consul-0.pem"
key_file = "dc1-server-consul-0-key.pem"

{
  "verify_incoming": true,
  "verify_outgoing": true,
  "verify_server_hostname": true,
  "ca_file": "consul-agent-ca.pem",
  "cert_file": "dc1-server-consul-0.pem",
  "key_file": "dc1-server-consul-0-key.pem"
}

After you reloaded the last Consul agent, your agents will only communicating with TLS.

$ consul reload

You have configured your Consul agents to communicate over TLS.