From c1b5850473db8609676b1554e75de812d05250bd Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Wed, 14 Feb 2024 08:56:35 -0500 Subject: [PATCH] docs: add warning not to enable Consul `tls.grpc.verify_incoming` (#19970) Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: https://github.com/hashicorp/nomad/issues/19772 Closes: https://github.com/hashicorp/nomad/issues/16854 Ref: https://github.com/hashicorp/consul/issues/13088 --- website/content/docs/configuration/consul.mdx | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/website/content/docs/configuration/consul.mdx b/website/content/docs/configuration/consul.mdx index 08bdafc43..e67a72670 100644 --- a/website/content/docs/configuration/consul.mdx +++ b/website/content/docs/configuration/consul.mdx @@ -156,6 +156,16 @@ agents with [`client.enabled`][] set to `true`. certificate used for communication between Connect sidecar proxies and Consul agents. Will default to the `CONSUL_GRPC_CACERT` environment variable if set. + + + Consul does not support incoming TLS verification of Envoy + sidecars. You should set `tls.grpc.verify_incoming = false` in your + Consul configuration when using Connect. See + [Consul/#13088](https://github.com/hashicorp/consul/issues/13088) for + more details. + + + - `share_ssl` `(bool: true)` - Specifies whether the Nomad client should share its Consul SSL configuration with Connect Native applications. Includes values of `ca_file`, `cert_file`, `key_file`, `ssl`, and `verify_ssl`. Does not