What's the recommended way to renew the CA cert for Consul's TLS (with no down-time)?
This page https://www.consul.io/docs/agent/encryption.html talks about how TLS can be enabled in an existing cluster, but the CA renewal scenario is not included.
Ideally, it should be possible to have the old and new CA temporarily accepted, so we can gradually configure all the consul agents to start using certs signed by the new CA (doing it one by one to avoid downtime). Once all the nodes would be migrated, the old CA would be removed from all nodes.
That could be node by, for example, appending the new CA to the file configured in the setting "ca_file". Would that work?
javicrespo
>All comments
@javicrespo There is feature request #2584 open to allow for online reloading of certificate data. You should head over there, +1 the feature and add any particular use case information to that issue.
The way I see your particular scenario playing out is that you would configure a ca-path directory and include in it both the old and new ca certs. Then once all the consul nodes have updated certs you would remove the old ca and do another online reload and it would only load the new CA cert.
For now I am going to close this issue as a "duplicate" of #2584
mkeeler
on 1 Jun 2018
Related issues
nicholasjackson
路
3Comments
lmb
路
4Comments
slackpad
路
3Comments
darron
路
4Comments
sandstrom
路
3Comments
Most helpful comment
@javicrespo There is feature request #2584 open to allow for online reloading of certificate data. You should head over there, +1 the feature and add any particular use case information to that issue.
The way I see your particular scenario playing out is that you would configure a ca-path directory and include in it both the old and new ca certs. Then once all the consul nodes have updated certs you would remove the old ca and do another online reload and it would only load the new CA cert.
For now I am going to close this issue as a "duplicate" of #2584