Creating consul cluster with gossip encryption enabled

[Hemant Gupta]

I have created a master token using the below command

 consul keygen

8KPaN7yS3HAWOwRAadc+pQ==

Then, I bootstrapped the server with the following config.json

{

  "server": true,

  "datacenter": "consul",

  "data_dir": "/var/consul",

  "log_level": "INFO",

  "enable_syslog": true,

  "disable_update_check": true,

  "client_addr": "0.0.0.0",

  "bootstrap": true,

  "leave_on_terminate": true,

  "encrypt": "G74SM8N9NUc4meaHfA7CFg=="

}

The output of the bootstrap server is as follows:

         Node name: 'abcd'

        Datacenter: 'consul'

            Server: true (bootstrap: true)

       Client Addr: 0.0.0.0 (HTTP: 8500, HTTPS: -1, DNS: 8600, RPC: 8400)

      Cluster Addr: x.x.x.x (LAN: 8301, WAN: 8302)

    Gossip encrypt: true, RPC-TLS: false, TLS-Incoming: false

             Atlas: <disabled>

Then, I added a new server as a regular consul server which has the following config.json

  "server": true,

  "datacenter": "consul",

  "data_dir": "/var/consul",

  "log_level": "INFO",

  "enable_syslog": true,

  "disable_update_check": true,

  "client_addr": "0.0.0.0",

  "bootstrap": false,

  "leave_on_terminate": true,

  "ui_dir": "/usr/local/bin/consul_ui",

  "check_update_interval": "0s",

  "ports": {

    "dns": 8600,

    "http": 8500,

    "https": 8700,

    "rpc": 8400,

    "serf_lan": 8301,

    "serf_wan": 8302,

    "server": 8300

  },

  "dns_config": {

    "allow_stale": true,

    "enable_truncate": true,

    "only_passing": true,

    "max_stale": "02s",

    "node_ttl": "30s",

    "service_ttl": {

      "*": "10s"

    }

  },

  "advertise_addr": "y.y.y.y",

  "encrypt": "G74SM8N9NUc4meaHfA7CFg==",

  "retry_join": [

    "x.x.x.x",

    "y.y.y.y"

  ]

}

Note: Here, x.x.x.x is ip address of the bootstrap server

y.y.y.y is ip address of the regular server

When, I do 'consul members' on y.y.y.y(regular server), I see only the regular server and don't see the bootstrap server.

It seems that regular server is not communicating with bootstrap server

[Korben Kirscht]

Similar issues here.  Our cluster works prior to adding "encrypt" option to the configuration file.  After adding gossip encryption, "consul members" no longer works.

# consul version

Consul v0.6.4

Consul Protocol: 3 (Understands back to: 1)

# Config.json

{

  "bootstrap": true,

  "server": true,

  "datacenter": "*********_us-west-2",

  "data_dir": "/consul",

  "node_name": "us-west-2b_i-******",

  "start_join": ["192.168.xxx.xx", "192.168.xxx.xx", "192.168.xxx.xx"],

  "addresses": {

    "https": "192.168.xxx.xx",

    "http": "192.168.xxx.xx",

    "rpc": "192.168.xxx.xx"

  },

  "advertise_addr": "192.168.xxx.xx",

  "client_addr": "192.168.xxx.xx",

  "encrypt": "vF/HHfP7sU9bDTR8Xr2njQ=="

}

[Korben Kirscht]

I just figured out that it was a simple problem.  It should have been obvious, by default "consul members" uses ip "127.0.0.1".  I moved the addresses to the private IP.

# consul members

Error connecting to Consul agent: dial tcp 127.0.0.1:8400: getsockopt: connection refused

Fixed by:

# export CONSUL_RPC_ADDR="192.168.xxx.75:8400"

# export CONSUL_HTTP_ADDR="192.168.xxx.75:8400"

# consul members

Node                   Address              Status  Type    Build  Protocol  DC

us-west-2b_i-1536ce81  192.168.xxx.75:8301  alive   server  0.6.4  2         xxxxxxxxxxxxx_us-west-2

us-west-2c_i-7e3e5fa3   192.168.xxx.17:8301  alive   server  0.6.4  2         xxxxxxxxxxxxx_us-west-2

us-west-2c_i-7f3e5fa2    192.168.xxx.18:8301  alive   server  0.6.4  2         xxxxxxxxxxxxx_us-west-2