mTLS Encryption
RPC Encryption with TLS
Consul supports using TLS to verify the authenticity of servers and clients. To enable this, Consul requires that all clients and servers have key pairs that are generated by a single Certificate Authority. This can be a private CA, used only internally. The CA then signs keys for each of the agents, as in this tutorial on generating both a CA and signing keys.
Certificates need to be created with x509v3 extendedKeyUsage attributes for both clientAuth and serverAuth since Consul uses a single cert/key pair for both server and client communications.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
These modes are controlled by the verify_outgoing
,
verify_server_hostname
,
and verify_incoming
options, respectively.
If verify_outgoing
is set, agents verify the
authenticity of Consul for outgoing connections. Server nodes must present a certificate signed
by a common certificate authority present on all agents, set via the agent's
ca_file
and ca_path
options. All server nodes must have an appropriate key pair set using cert_file
and key_file
.
If verify_server_hostname
is set, then
outgoing connections perform hostname verification. All servers must have a certificate
valid for server.<datacenter>.<domain>
or the client will reject the handshake. This is
a new configuration as of 0.5.1, and it is used to prevent a compromised client from being
able to restart in server mode and perform a MITM (Man-In-The-Middle) attack. New deployments should set this
to true, and generate the proper certificates, but this is defaulted to false to avoid breaking
existing deployments.
If verify_incoming
is set, the servers verify the
authenticity of all incoming connections. All clients must have a valid key pair set using
cert_file
and
key_file
. Servers will
also disallow any non-TLS connections. To force clients to use TLS,
verify_outgoing
must also be set.
TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP and is secured using a symmetric key. See above for enabling gossip encryption.
Configuring TLS on an existing cluster
As of version 0.8.4, Consul supports migrating to TLS-encrypted traffic on a running cluster without downtime. This process assumes a starting point with no TLS settings configured and involves an intermediate step in order to get to full TLS encryption. Review the Securing RPC Communication with TLS Encryption tutorial for the step-by-step process to configure TLS on a new or existing cluster. Note the call outs there for existing cluster configuration.
Securing your datacenter with TLS encryption is an important step for production deployments. TLS configuration is also a prerequisite of our Security Model. Correctly configuring TLS can be a complex process, especially given the wide range of deployment methodologies. This tutorial will provide you with a production ready TLS configuration for RPC and consensus communication. However, you will need to secure HTTP communication for the CLI and UI separately
Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single Certificate Authority(CA). Clients should also have certificates that are authenticated with the same CA.
If you want to secure service-to-service communication with TLS, review the secure service communication tutorial.
Prerequisites
The certificate generation and distribution steps outlined in this tutorial are meant for new Consul datacenters. All the steps should be completed before you start the agent. Review the Deployment Guide if you're getting started.
If you need to enable TLS encryption on an existing datacenter, review this tutorial and then complete the update Agents to Communicate with TLS tutorial. The tutorial for the existing datacenter includes steps for a zero-downtime update of the agents.
This tutorial is structured in way that you build knowledge with every step. It is recommended to read the whole tutorial before starting with the actual work.
Initialize the built-in CA
One of the first steps to configuring TLS for Consul is generating certificates. In order to prevent unauthorized datacenter access, Consul requires all certificates be signed by the same Certificate Authority (CA). This should be a private CA and not a public one as any certificate signed by this CA will be allowed to communicate with the datacenter.
There are a variety of tools for managing your own CA, like the PKI secret backend in Vault, but for the sake of simplicity this tutorial you will use Consul's built-in TLS helpers to create a CA. You will only need to create one CA for the datacenter. You should generate all certificates on the same node or workstation that is used to create the CA. The node or workstation should be stable, preferably not a Consul agent or a cloud server.
You can create the CA and certificates before starting Consul, as long as you have the Consul binary installed in your path.
$ consul tls ca create
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
The CA certificate, consul-agent-ca.pem
, contains the public key necessary to
validate Consul certificates and therefore must be distributed to every node
that runs a consul agent.
The CA key, consul-agent-ca-key.pem
, will be used to sign certificates for Consul
nodes and must be kept private. Possession of this key allows anyone to run Consul as
a trusted server or generate new valid certificates for the datacenter and obtain access to all Consul data, including ACL tokens.
Create the server certificates
Create a server certificate for datacenter dc1
and domain consul
, if your
datacenter or domain is different, remember to use the appropriate flags.
Repeat this process on the same node where you created the CA, until there is an individual certificate for each server. The command can be called over and over again, it will automatically increase the certificate and key numbers. You will need to distribute the certificates to the servers.
$ consul tls cert create -server -dc <dc_name>
Below is an example for datacenter "dc1".
$ consul tls cert create -server -dc dc1
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem
In order to authenticate Consul servers, servers are provided with a special
certificate - one that contains server.dc1.consul
in the Common Name
and in the Subject Alternative Name
. If you enable
verify_server_hostname
,
only agents that provide such certificate are allowed to boot as a server.
Without verify_server_hostname = true
an attacker could compromise a Consul
client agent and restart the agent as a server in order to get access to all the
data in your datacenter! This is why server certificates are special, and only
servers should have them provisioned.
NOTE Server keys, like the CA key, must be kept private - they effectively allow access to all Consul data.
Distribute the server certificates
After generating the server certificates, you will need to distribute them to the Consul servers and put their on-disk location in the agent configuration file.
The following files need to be copied to your Consul server:
consul-agent-ca.pem
: CA public certificate.dc1-server-consul-0.pem
: Consul server node public certificate for thedc1
datacenter.dc1-server-consul-0-key.pem
: Consul server node private key for thedc1
datacenter.
Repeat this process until all servers have these three files.
Client certificate distribution
There are two methods for distributing client certificates: auto encryption and operator. We recommend the auto-encryption method to alleviate the client certificate generation and distribution step for operators. This method uses the Connect CA to generate client certificates, which are automatically distributed to all Consul clients.
Use the operator method if you need to use a third-party CA or need more fine-grained control over certificate management. Review the Secure Agent Communication with Existing Certificate Authority tutorial for an example of using OpenSSL as a third-party CA.
This section describes the automated client certificate deployment process in Consul 1.5.2 and newer.
Configure the servers
At the beginning of this tutorial, you created the server certificates and distributed them.
To use auto-encryption to distribute the client certificates, you will need to enable the auto_encrypt
feature. Configure your
servers with the following options.
Note
Consul will load all files in the configuration directory, for the following examples, you can add the configuration
as new files. You can also add them to an existing configuration file, however, you should ensure that the syntax is valid before applying
it to the agent. You can use consul validate
to check configuration validity for
both JSON and HCL files.
Consul server agent auto encrypt TLS configuration
verify_incoming = true
verify_outgoing = true
verify_server_hostname = true
ca_file = "consul-agent-ca.pem"
cert_file = "dc1-server-consul-0.pem"
key_file = "dc1-server-consul-0-key.pem"
auto_encrypt {
allow_tls = true
}
Notice that in addition to the verify settings, you need to enable allow_tls
. The verify
settings ensure that all communication between servers and clients is verified. When auto_encrypt
is enabled,
verify_outgoing
is enabled by default.
Configure the clients
With auto-encryption, you can configure the Consul servers to automatically distribute certificates to the clients. To use this feature, you will need to configure clients to automatically get the certificates from the server.
Note, this method stores the certificates in memory, they are not persisted.
Configure the clients with the following options.
Consul client agent auto encrypt TLS configuration
verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "consul-agent-ca.pem"
auto_encrypt = {
tls = true
}
Start Consul
Now that you have configured your servers and clients, you can start the Consul process.
$ systemctl start consul
Your agents will only be communicating with TLS encryption for RPC and consensus.
Next steps
After completing this tutorial, your agents will be configured with TLS for encrypted communication. With the auto encryption method, your client certificates are managed by the server. With the operator method, you distributed all the certificates, but have a more flexible configuration.
The other prerequisites for a secure Consul deployment are gossip encryption and ACLs with default deny.
Additional TLS encryption resources
For more TLS content review our other tutorials:
Enable TLS encryption on an existing datacenter. Generate TLS certificates with OpenSSL and secure the CLI and UI communication.