Add mention of auto_encrypt to mTLS requirements

This commit is contained in:
Kent 'picat' Gruber 2020-11-06 10:15:26 -05:00
parent c3aa90fe27
commit 9e1054097b
1 changed files with 11 additions and 1 deletions

View File

@ -94,7 +94,7 @@ environment and adapt these configurations accordingly.
should almost always be set to true to require mTLS to set up the client for HTTP or gRPC health checks. This was
added in Consul 1.0.1.
- [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be
- [`verify_server_hostname`](/docs/agent/options#verify_server_hostname) - By default this is false, and should be
set to true to require that the TLS certificate presented by the servers matches
`server.<datacenter>.<domain>` hostname for outgoing TLS connections. The default configuration does not verify the
hostname of the certificate, only that it is signed by a trusted CA. This setting is critical to prevent a
@ -105,6 +105,16 @@ environment and adapt these configurations accordingly.
[CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653) for more details. This is fixed
in 1.4.1.
- [`auto_encrypt`](/docs/agent/options#auto_encrypt) - Enables automated TLS certificate distribution for client
agent RPC communication using the Connect CA. Using this configuration a [`ca_file`](/docs/agent/options#ca_file)
and ACL token would still need to be distributed to client agents.
- [`allow_tls`](/docs/agent/options#allow_tls) - By default this is false, and should be set to true on server
agents to allow certificates to be automatically generated and distributed from the Connect CA to client agents.
- [`tls`](/docs/agent/options#tls) - By default this false, and should be set to true on client agents to
automatically request a client TLS certificate from the server's Connect CA.
**Example Server Agent TLS Configuration**
```hcl