Consul Connect can't initialize with Vault 1.10.0

[voanhduy1512]

Environment:

• Vault Version: v1.10.0
• Consul Version: v1.11.4
• Operating System/Architecture: NixOS 21.11/x86_64-linux

Consul Config File:

connect {
  enabled = true
  ca_provider = "vault"
  ca_config {
    address = "http://localhost:8200"
    token = "root token from vault server -dev  log"
    root_pki_path = "connect_ca"
    intermediate_pki_path = "connect_intermediate"
  }
}

Expected Behavior:
Consul will initialize Connect with Vault as CA Provider

Actual Behavior:
Consul throws error message and can't initialize Connect CA

consul agent -dev -config-file consul.hcl

==> Starting Consul agent...
           Version: '1.11.4'
           Node ID: 'df8c57a8-09cb-6d8c-5f40-e3b8637e4948'
         Node name: 'N1'
        Datacenter: 'dc1' (Segment: '<all>')
            Server: true (Bootstrap: false)
       Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
      Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
           Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false

==> Log data will now stream in as it occurs:

2022-04-03T22:36:40.988+0800 [INFO]  agent.server.raft: initial configuration: index=1 servers="[{Suffrage:Voter ID:df8c57a8-09cb-6d8c-5f40-e3b8637e4948 Address:127.0.0.1:8300}]"
2022-04-03T22:36:40.988+0800 [INFO]  agent.server.raft: entering follower state: follower="Node at 127.0.0.1:8300 [Follower]" leader=
2022-04-03T22:36:40.989+0800 [INFO]  agent.server.serf.wan: serf: EventMemberJoin: N1.dc1 127.0.0.1
2022-04-03T22:36:40.989+0800 [INFO]  agent.server.serf.lan: serf: EventMemberJoin: N1 127.0.0.1
2022-04-03T22:36:40.989+0800 [INFO]  agent.router: Initializing LAN area manager
2022-04-03T22:36:40.989+0800 [WARN]  agent: grpc: addrConn.createTransport failed to connect to {dc1-127.0.0.1:8300 0 N1 <nil>}. Err :connection error: desc = "transport: Error while
 dialing dial tcp 127.0.0.1:0->127.0.0.1:8300: operation was canceled". Reconnecting...
2022-04-03T22:36:40.989+0800 [INFO]  agent.server: Adding LAN server: server="N1 (Addr: tcp/127.0.0.1:8300) (DC: dc1)"
2022-04-03T22:36:40.989+0800 [INFO]  agent: Started DNS server: address=127.0.0.1:8600 network=udp
2022-04-03T22:36:40.989+0800 [INFO]  agent: Started DNS server: address=127.0.0.1:8600 network=tcp
2022-04-03T22:36:40.989+0800 [INFO]  agent.server: Handled event for server in area: event=member-join server=N1.dc1 area=wan
2022-04-03T22:36:40.989+0800 [WARN]  agent: grpc: addrConn.createTransport failed to connect to {dc1-127.0.0.1:8300 0 N1 <nil>}. Err :connection error: desc = "transport: Error while
 dialing dial tcp 127.0.0.1:0->127.0.0.1:8300: operation was canceled". Reconnecting...
2022-04-03T22:36:40.990+0800 [INFO]  agent: Starting server: address=127.0.0.1:8500 network=tcp protocol=http
2022-04-03T22:36:40.990+0800 [WARN]  agent: DEPRECATED Backwards compatibility with pre-1.9 metrics enabled. These metrics will be removed in a future version of Consul. Set `telemet
ry { disable_compat_1.9 = true }` to disable them.
2022-04-03T22:36:40.990+0800 [INFO]  agent: Started gRPC server: address=127.0.0.1:8502 network=tcp
2022-04-03T22:36:40.990+0800 [INFO]  agent: started state syncer
2022-04-03T22:36:40.990+0800 [INFO]  agent: Consul agent running!
2022-04-03T22:36:41.038+0800 [WARN]  agent.server.raft: heartbeat timeout reached, starting election: last-leader=
2022-04-03T22:36:41.038+0800 [INFO]  agent.server.raft: entering candidate state: node="Node at 127.0.0.1:8300 [Candidate]" term=2
2022-04-03T22:36:41.038+0800 [DEBUG] agent.server.raft: votes: needed=1
2022-04-03T22:36:41.038+0800 [DEBUG] agent.server.raft: vote granted: from=df8c57a8-09cb-6d8c-5f40-e3b8637e4948 term=2 tally=1
2022-04-03T22:36:41.038+0800 [INFO]  agent.server.raft: election won: tally=1
2022-04-03T22:36:41.038+0800 [INFO]  agent.server.raft: entering leader state: leader="Node at 127.0.0.1:8300 [Leader]"
2022-04-03T22:36:41.038+0800 [INFO]  agent.server: cluster leadership acquired
2022-04-03T22:36:41.038+0800 [INFO]  agent.server: New leader elected: payload=N1
2022-04-03T22:36:41.039+0800 [INFO]  agent.leader: started routine: routine="federation state anti-entropy"
2022-04-03T22:36:41.039+0800 [INFO]  agent.leader: started routine: routine="federation state pruning"
2022-04-03T22:36:41.039+0800 [DEBUG] agent.server.autopilot: autopilot is now running
2022-04-03T22:36:41.039+0800 [DEBUG] agent.server.autopilot: state update routine is now running
2022-04-03T22:36:41.048+0800 [ERROR] connect.ca: Failed to initialize Connect CA: error="error generating intermediate cert: Error making API request.

URL: PUT http://localhost:8200/v1/connect_intermediate/roles/leaf-cert
Code: 400. Errors:

* unsupported hash signature algorithm: 0"
2022-04-03T22:36:41.048+0800 [INFO]  agent.leader: started routine: routine="CA initialization"
2022-04-03T22:36:41.048+0800 [INFO]  agent.leader: started routine: routine="CA root pruning"
2022-04-03T22:36:41.048+0800 [INFO]  agent.leader: started routine: routine="CA root expiration metric"
2022-04-03T22:36:41.048+0800 [INFO]  agent.leader: started routine: routine="CA signing expiration metric"
2022-04-03T22:36:41.048+0800 [INFO]  agent.leader: started routine: routine="virtual IP version check"
2022-04-03T22:36:41.048+0800 [WARN]  agent.server.connect: failed to emit certificate expiry metric: metric=mesh.active-signing-ca.expiry error="no active root CA"
2022-04-03T22:36:41.048+0800 [WARN]  agent.server.connect: failed to emit certificate expiry metric: metric=mesh.active-root-ca.expiry error="no active root CA"
2022-04-03T22:36:41.048+0800 [DEBUG] agent.server: successfully established leadership: duration=10.075297ms
2022-04-03T22:36:41.049+0800 [INFO]  agent.server: member joined, marking health alive: member=N1 partition=default
2022-04-03T22:36:41.049+0800 [DEBUG] agent.leader: stopping routine: routine="virtual IP version check"
2022-04-03T22:36:41.049+0800 [DEBUG] agent.leader: stopped routine: routine="virtual IP version check"
2022-04-03T22:36:41.052+0800 [ERROR] connect.ca: Failed to initialize Connect CA: routine="CA initialization" error="error generating intermediate cert: Error making API request.

URL: PUT http://localhost:8200/v1/connect_intermediate/roles/leaf-cert
Code: 400. Errors:

* unsupported hash signature algorithm: 0"
...

Steps to Reproduce:

vault server -dev

consul agent -dev -config-file consul.hcl

Important Factoids:
I can run the setup without any problem using an older versions of Vault, eg: 1.8.6 and 1.9.3. This problem looks like only start from 1.10.0

[stevendpclark]

Hi @voanhduy1512, thanks for filing the issue. We were able to reproduce the issue and are creating a fix for this regression.

For a workaround until the fix gets released, you can manually create/update the role so that the key_type parameter is not any, and set to an appropriate key value. In Consul's default case it would be ec. Assuming the configuration listed above for consul, this would be the Vault command to create the role.

vault write connect_intermediate/roles/leaf-cert allow_any_name=true allowed_uri_sans="spiffe://" key_type="ec" max_ttl="72h0m0s" no_store="true" require_cn="false"