A security engineer discovers that a Consul agent is communicating with the rest of the cluster using an expired TLS certificate. The agent configuration has `verify_outgoing = true` and `verify_incoming = true`. What is the expected behavior when the certificate expires?

Question

Accepted Answer

B. The affected agent will be unable to form new TLS connections with other agents, causing it to be isolated from the cluster. When `verify_outgoing` and `verify_incoming` are both set to `true`, Consul requires valid, non-expired TLS certificates for all agent-to-agent communication. An expired certificate will cause TLS handshake failures, isolating the agent from the cluster. There is no automatic certificate renewal unless Consul's built-in CA with auto-encrypt is configured. Option c is wrong because Consul does not fall back to unencrypted communication when TLS verification is required.

A security engineer discovers that a Consul agent is communicating with the rest of the cluster using an expired TLS certificate. The agent configuration has `verify_outgoing = true` and `verify_incoming = true`. What is the expected behavior when the certificate expires?

Related Questions

Discussion

A security engineer discovers that a Consul agent is communicating with the rest of the cluster using an expired TLS certificate. The agent configuration has verify_outgoing = true and verify_incoming = true. What is the expected behavior when the certificate expires?

Related Questions

Discussion

A security engineer discovers that a Consul agent is communicating with the rest of the cluster using an expired TLS certificate. The agent configuration has `verify_outgoing = true` and `verify_incoming = true`. What is the expected behavior when the certificate expires?