Merge pull request #2608 from hashicorp/f-test-verify_https_client

Test verify_https_client behavior and skip Consul HTTPS health checks when enabled

website/source/docs/agent/configuration/tls.html.md

@@ -54,6 +54,10 @@ the [Agent's Gossip and RPC Encryption](/docs/agent/encryption.html).
   a Nomad client makes the client use TLS for making RPC requests to the Nomad
   servers.
 
+- `verify_https_client` `(bool: false)` - Specifies agents should require
+  client certificates for all incoming HTTPS requests. The client certificates
+  must be signed by the same CA as Nomad.
+
 - `verify_server_hostname` `(bool: false)` - Specifies if outgoing TLS
   connections should verify the server's hostname.
 

website/source/docs/agent/encryption.html.md

@@ -69,9 +69,19 @@ export NOMAD_CACERT=/path/to/ca.pem
 Run any command except `agent` with `-h` to see all environment variables and
 flags. For example: `nomad status -h`
 
-Since HTTPS currently does not validate client certificates you do not need to
+By default HTTPS does not validate client certificates, so you do not need to
 give the command line tool access to any private keys.
 
+### Network Isolation with TLS
+
+If you want to isolate Nomad agents on a network with TLS you need to enable
+both [`verify_https_client`][tls] and [`verify_server_hostname`][tls]. This
+will cause agents to require client certificates for all incoming HTTPS
+connections as well as verify proper names on all other certificates.
+
+Consul will not attempt to health check agents with `verify_https_client` set
+as it is unable to use client certificates.
+
 ## Encryption Examples
 
 ### TLS Configuration using `cfssl`