How can I add a custom domain to an SAN for a certificate for consul domains like active.vault.service.consul?

Question

Say one has a service provided by Consul, for which active.[name-of-service].service.consul is the link it provides to the active host leader for that service. How would I properly set up TLS to that .consul domain name?

For example, suppose I have a HashiCorp Vault service, for which HashiCorp Consul provides service discovery with the HashiCorp Consul DNS interface by active.vault.service.consul. If more

I've heard that the "-domain" configuration option can be used to change the TLD from .consul to .somethingelse. Can it be changed to .subdomain.mymaindomain.com and have it still work w/o reaching out to corporate DNS? If so, could one potentially get a real subdomain for a consul/vault service and configure our consul DNS queries to answer under that subdomain. That would allow us to use real, trusted, TLS server certificates for securing communications.

However, without using Consul's CA feature, it seems difficult to actually set up a cert that has active.vault.service.consul on an SAN.

Do I need to use a private CA for this?

Consul has a page on how to set up encryption with TLS, but it seems to be more for authenticating clients than for use with domain names.

Anyway, other than self-signed certificates, how does one get TLS for URIs like https://active.vault.service.consul:8200/sys/health to work properly?

Answer 1

Turns out that not only can you do this, but if set up, allows automation of internal Virtual IP Addresses.

Let's assume your site has the domain nathanbasanese.rocks. And let's say your service is Redis.

You'd add "domain": "consul.nathanbasanese.rocks" to your Consul configuration file, e.g. /etc/consul/config.json.

Then, redirect DNS queries using something like DNSMasq (don't forget to donate!) for anything that uses "consul.nathanbasanese.rocks" as its TLD to go to your Consul server running on localhost.

For example, you could use the following 127.0.0.1#8600 in DNSMasq as the content of your /etc/dnsmasq.d/consulstuff.

  ## This forwards DNS requests to the local Consul agent.
  ## Check the following link for more details about why:
  ## https://www.consul.io/docs/guides/forwarding.html#dnsmasq-setup
server=/consul/127.0.0.1#8600
server=/consul.nathanbasanese.rocks/127.0.0.1#8600

Then, for each node, get a cert with the node's node_name as the cert's CN= value (make sure to configure the node_names to be certifiable by whatever standard gets you through your CA. using the FQDN should be fine, e.g. redis001.nathanbasanese.rocks), and active.redis.service.consul.nathanbasanese.rocks as the top SAN.

If you have 25 Redis behind that Consul responds with their nodename(s) to active.redis.service.consul.nathanbasanese.rocks, well, you're going to need 25 certs. Yay, security.

I've tested this, and it works well enough on servers that have the consul agent with the configuration above.

You can test with the curl -v command, passing the certificate authority's .cer file in to curl's --cacert parameter if you run into problems with trusting a test CA or something.