From 3790770af65ab9f3967c834ca49be1f0a21f0d59 Mon Sep 17 00:00:00 2001 From: Ranjandas Date: Tue, 2 Mar 2021 09:39:46 +1100 Subject: [PATCH] Update cert creation instruction for Federation The Server certificates used for Federation require the node name in the form of `.server..`. Not having this would through `bad tls certificate` error. * Fixed cert create command * Added note to create a wildcard cert (like the ones on Kubernetes) * Fixed numbering --- .../k8s/installation/multi-cluster/vms-and-kubernetes.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx index 5020063a7..468988c46 100644 --- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx +++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx @@ -31,7 +31,7 @@ kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' | base64 -D > consul-agent-ca.pem ``` -and the certificate authority signing key: +2. The certificate authority signing key: ```sh kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' | @@ -47,7 +47,7 @@ You can use the `consul tls` commands to generate those certificates: ```sh # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current # directory. -$ consul tls cert create -server -dc=vm-dc +$ consul tls cert create -server -dc=vm-dc -node ==> WARNING: Server Certificates grants authority to become a server and access all state in the cluster including root keys and all ACL tokens. Do not distribute them to production hosts @@ -57,6 +57,8 @@ $ consul tls cert create -server -dc=vm-dc ==> Saved vm-dc-server-consul-0-key.pem ``` +-> Note the `node` option in the above command. This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, use `-node "*"` instead. + See the help for output of `consul tls cert create -h` to see more options for generating server certificates.