Update creating-certificates.html.md (#4780)

In case `verify_server_hostname` is set in the configuration, Consul checks the certificate against  `server.<datacenter>.<domain>`.

The name suggested by the guide generates errors like the following:
```
2018/10/10 12:42:20 [ERR] consul: Failed to confirm peer status for consul-3: rpc error getting client: failed to get conn: x509: certificate is valid for server.node.consul.labs, localhost, not server.consul.labs. Retrying in 16s...
```

Removing the `node` part from the certificate permits them to work also when that option is set.
This commit is contained in:
danielehc 2018-10-11 14:23:51 +02:00 committed by GitHub
parent 25f04fbd21
commit 40017f5e59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -96,8 +96,8 @@ Consul node be difficult, but using a hostname provides no security or
functional benefits to Consul. To fulfill the desired security properties functional benefits to Consul. To fulfill the desired security properties
(above) Consul certificates are signed with their region and role such as: (above) Consul certificates are signed with their region and role such as:
* `client.node.global.consul` for a client node in the `global` region * `client.global.consul` for a client node in the `global` region
* `server.node.us-west.consul` for a server node in the `us-west` region * `server.us-west.consul` for a server node in the `us-west` region
To create certificates for the client and server in the cluster with To create certificates for the client and server in the cluster with
[cfssl][cfssl], create the following configuration file as `cfssl.json` to increase the default certificate expiration time: [cfssl][cfssl], create the following configuration file as `cfssl.json` to increase the default certificate expiration time:
@ -121,11 +121,11 @@ To create certificates for the client and server in the cluster with
```shell ```shell
# Generate a certificate for the Consul server # Generate a certificate for the Consul server
$ echo '{"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=consul-ca.pem -ca-key=consul-ca-key.pem -config=cfssl.json \ $ echo '{"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=consul-ca.pem -ca-key=consul-ca-key.pem -config=cfssl.json \
-hostname="server.node.global.consul,localhost,127.0.0.1" - | cfssljson -bare server -hostname="server.global.consul,localhost,127.0.0.1" - | cfssljson -bare server
# Generate a certificate for the Consul client # Generate a certificate for the Consul client
$ echo '{"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=consul-ca.pem -ca-key=consul-ca-key.pem -config=cfssl.json \ $ echo '{"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=consul-ca.pem -ca-key=consul-ca-key.pem -config=cfssl.json \
-hostname="client.node.global.consul,localhost,127.0.0.1" - | cfssljson -bare client -hostname="client.global.consul,localhost,127.0.0.1" - | cfssljson -bare client
# Generate a certificate for the CLI # Generate a certificate for the CLI
$ echo '{"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=consul-ca.pem -ca-key=consul-ca-key.pem -profile=client \ $ echo '{"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=consul-ca.pem -ca-key=consul-ca-key.pem -profile=client \