Customized CA cert for consul client

[buro1983]

I am using Consul v0.6.4 and running on FreeBSD. My services are registered with Consul with a health check URL with https. I have created my own ca certificate and placed at /etc/ssl/certs/ location. I don't want to place ca content into ca-root-nss.crt file.
verify_outgoing is et to true and ca_file also defined with location. But health check URL is not able to connect to my services and getting error "x509: certificate signed by unknown authority".

ca_file is configured, but getting validated with ca-root-nss.crt, but expectation is that the validation should be done with the customized ca file location. I have tested with openssl s_client with -CApath (openssl s_client -connect IP:Port -CApath /etc/ssl/certs) and it worked but I did not find any similar configuration with Consul. I have came across a ticket (hashicorp/vault#378) with same kind of requirement but changes are done for vault.

How do I configure consul, so that outgoing request from consul should consider customized ca-path instead of system default cert.pem.

[slackpad]

Answered this here - https://groups.google.com/d/msg/consul-tool/heBdAm4NfMU/nh7B4a5gFgAJ.

[buro1983]

I have created a pull request for this enhancement (#2423). Travis CI build failed because of some existing failures.

[slackpad]

The change in #1984 adds the ability to use TLS but skip certificate verification if desired. This is probably a good way to fix this vs. adding the complexity of another CA configuration. If you care about cert verifications for your health checks you can set up your system certs, and if you don't you can turn off verification. Please let me know if you have any concerns about this approach!

[nazario29]

Just started to use consul and recently decided to get the services endpoints to use SSL, and I'm having the same issue with the healthchecks to https endpoints - returning Get "https://myserviceurl": x509: certificate signed by unknown authority. On Docker Desktop I'm running a docker-compose with a couple of dotnet applications and consul configured as below:

  consul:
    image: consul
    container_name: consul
    hostname: consul
    ports:
      - '8300:8300'
      - '8301:8301'
      - '8301:8301/udp'
      - '8500:8500'
      - '8501:8501'
      - '8600:8600'
      - '8600:8600/udp'
    volumes:
      - .\Certs:/usr/share/ca-certificates
      - .\consul:/consul/config

I know we can pass the skipTlsverify flag to workaround this issue but what I'm finding odd is that some healthchecks are actually working and for all of them one certificate was generated from the same CA root certificate using this commands:

New-SelfSignedCertificate -DnsName "$Hostname" -Signer $RootCA -KeyLength 2048 `
        -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -NotAfter $((Get-Date).AddYears(10)) `
        -CertStoreLocation 'Cert:\LocalMachine\My' -FriendlyName "$Hostname"

I can confirm that the TLS verification is working fine when running consul outside of docker - on my particular case on a windows VM.
So my question is around the requirements that consul have to actually verify TLS communication on Docker?