docs: add warning not to enable Consul tls.grpc.verify_incoming (#19970)

Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: https://github.com/hashicorp/nomad/issues/19772 Closes: https://github.com/hashicorp/nomad/issues/16854 Ref: https://github.com/hashicorp/consul/issues/13088
2026-01-01 16:05:42 +03:00 · 2024-02-14 08:56:35 -05:00
parent c364cb5729
commit c1b5850473
1 changed files with 10 additions and 0 deletions
--- a/website/content/docs/configuration/consul.mdx
+++ b/website/content/docs/configuration/consul.mdx
@@ -156,6 +156,16 @@ agents with [`client.enabled`][] set to `true`.
  certificate used for communication between Connect sidecar proxies and Consul
  agents. Will default to the `CONSUL_GRPC_CACERT` environment variable if set.

+  <Warning>
+  
+    Consul does not support incoming TLS verification of Envoy
+    sidecars. You should set `tls.grpc.verify_incoming = false` in your
+    Consul configuration when using Connect. See 
+    [Consul/#13088](https://github.com/hashicorp/consul/issues/13088) for
+    more details.
+    
+  </Warning>
+
 - `share_ssl` `(bool: true)` - Specifies whether the Nomad client should share
  its Consul SSL configuration with Connect Native applications. Includes values
  of `ca_file`, `cert_file`, `key_file`, `ssl`, and `verify_ssl`. Does not