From 3790770af65ab9f3967c834ca49be1f0a21f0d59 Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Tue, 2 Mar 2021 09:39:46 +1100
Subject: [PATCH 1/4] Update cert creation instruction for Federation

The Server certificates used for Federation require the node name in the form of `<node>.server.<dc>.<domain>`. Not having this would through `bad tls certificate` error.

* Fixed cert create command
* Added note to create a wildcard cert (like the ones on Kubernetes)
* Fixed numbering
---
 .../k8s/installation/multi-cluster/vms-and-kubernetes.mdx   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
index 5020063a7..468988c46 100644
--- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
+++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
@@ -31,7 +31,7 @@ kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
   base64 -D > consul-agent-ca.pem
 ```
 
-and the certificate authority signing key:
+2. The certificate authority signing key:
 
 ```sh
 kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
@@ -47,7 +47,7 @@ You can use the `consul tls` commands to generate those certificates:
 ```sh
 # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current
 # directory.
-$ consul tls cert create -server -dc=vm-dc
+$ consul tls cert create -server -dc=vm-dc -node <node_name>
 ==> WARNING: Server Certificates grants authority to become a
     server and access all state in the cluster including root keys
     and all ACL tokens. Do not distribute them to production hosts
@@ -57,6 +57,8 @@ $ consul tls cert create -server -dc=vm-dc
 ==> Saved vm-dc-server-consul-0-key.pem
 ```
 
+-> Note the `node` option in the above command. This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, use `-node "*"` instead. 
+
 See the help for output of `consul tls cert create -h` to see more options
 for generating server certificates.
 

From 9e63706d927b3f8638e4cb217b9fff90b6489a85 Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Tue, 2 Mar 2021 09:44:35 +1100
Subject: [PATCH 2/4] Added references to node name

---
 .../docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
index 468988c46..e8d7c4372 100644
--- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
+++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
@@ -57,7 +57,7 @@ $ consul tls cert create -server -dc=vm-dc -node <node_name>
 ==> Saved vm-dc-server-consul-0-key.pem
 ```
 
--> Note the `node` option in the above command. This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, use `-node "*"` instead. 
+-> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](https://www.consul.io/docs/agent#running-an-agent).  This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. 
 
 See the help for output of `consul tls cert create -h` to see more options
 for generating server certificates.

From e2f1fa3ccf658a97eed9ff98f37a1789a393651d Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Tue, 2 Mar 2021 10:20:24 +1100
Subject: [PATCH 3/4] Update vms-and-kubernetes.mdx

---
 .../multi-cluster/vms-and-kubernetes.mdx      | 44 +++++++++----------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
index e8d7c4372..075df8400 100644
--- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
+++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
@@ -24,19 +24,19 @@ If your primary datacenter is running on Kubernetes, use the Helm config from th
 Once installed, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults),
 you'll need to export the following information from the primary Kubernetes cluster:
 
-1. The certificate authority cert:
+* The certificate authority cert:
 
-```sh
-kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
-  base64 -D > consul-agent-ca.pem
-```
+  ```sh
+  kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
+    base64 -D > consul-agent-ca.pem
+  ```
 
-2. The certificate authority signing key:
+* The certificate authority signing key:
 
-```sh
-kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
-   base64 -D > consul-agent-ca-key.pem
-```
+  ```sh
+  kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
+     base64 -D > consul-agent-ca-key.pem
+  ```
 
 With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can
 create certificates for your servers and clients running on VMs that share the
@@ -44,18 +44,18 @@ same certificate authority as your Kubernetes servers.
 
 You can use the `consul tls` commands to generate those certificates:
 
-```sh
-# NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current
-# directory.
-$ consul tls cert create -server -dc=vm-dc -node <node_name>
-==> WARNING: Server Certificates grants authority to become a
-    server and access all state in the cluster including root keys
-    and all ACL tokens. Do not distribute them to production hosts
-    that are not server nodes. Store them as securely as CA keys.
-==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
-==> Saved vm-dc-server-consul-0.pem
-==> Saved vm-dc-server-consul-0-key.pem
-```
+  ```sh
+  # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current
+  # directory.
+  $ consul tls cert create -server -dc=vm-dc -node <node_name>
+  ==> WARNING: Server Certificates grants authority to become a
+      server and access all state in the cluster including root keys
+      and all ACL tokens. Do not distribute them to production hosts
+      that are not server nodes. Store them as securely as CA keys.
+  ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
+  ==> Saved vm-dc-server-consul-0.pem
+  ==> Saved vm-dc-server-consul-0-key.pem
+  ```
 
 -> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](https://www.consul.io/docs/agent#running-an-agent).  This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. 
 

From 0a08c942c8f6877039f674fcf1d71f9aade642a7 Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Tue, 2 Mar 2021 12:41:08 +1100
Subject: [PATCH 4/4] Add a sample error message

---
 .../k8s/installation/multi-cluster/vms-and-kubernetes.mdx     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
index 075df8400..3226efd07 100644
--- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
+++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx
@@ -57,7 +57,9 @@ You can use the `consul tls` commands to generate those certificates:
   ==> Saved vm-dc-server-consul-0-key.pem
   ```
 
--> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](https://www.consul.io/docs/agent#running-an-agent).  This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. 
+-> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](https://www.consul.io/docs/agent#running-an-agent).  This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead.
+Not satisfying this requirement would result in the following error in the Consul Server logs:
+`[ERROR] agent.server.rpc: TLS handshake failed: conn=from= error="remote error: tls: bad certificate"`
 
 See the help for output of `consul tls cert create -h` to see more options
 for generating server certificates.