SSL validation error

[kyleodonnell]

Hello,

I am working on getting the hiera consul module to work via SSL and running into issues. I've removed hiera from my testing and am just focussing on ensuring SSL is working as expected. I am not sure if this is a red herring, but it still seems wrong to me.

I have my own Certificate Authority and created self signed certs for consul. I have 'verified' these certs work just fine for apache:

# openssl s_client -connect localhost:443 -showcerts

This output looks clean, but when I run the same verification against consul i get this:

# openssl s_client -connect localhost:9443 -showcerts
CONNECTED(00000003)
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
140543348475552:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1262:SSL alert number 42
140543348475552:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    Verify return code: 21 (unable to verify the first certificate)

(I have stripped out the identifiers)

Here is my config:

{
    "bootstrap": true,
    "server": true,
    "datacenter": "testDC",
    "data_dir": "/x/i/consul/var/data",
    "encrypt": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "log_level": "DEBUG",
    "enable_syslog": true,
    "ca_file": "/x/i/consul/etc/ssl/ca.cert.pem",
    "cert_file": "/x/i/consul/etc/ssl/consul-server.cert.pem",
    "key_file": "/x/i/consul/etc/ssl/consul-server.key.pem",
    "verify_incoming": true,
    "verify_outgoing": true,
    "ports": { 
              "dns": 8600,
              "http": 8500,
              "https": 9443,
              "rpc": 8400,
              "serf_lan": 8301,
              "serf_wan": 8302,
              "server": 8300
    }
}

[kyleodonnell]

made some progress... it looks like the "cert_file": "/x/i/consul/etc/ssl/consul-server.cert.pem",
must be a bundle of the server cert and ca cert
cat servercert cacert > server-bundle.cert

hiera/ruby are still struggling though