We have updated our Terms of Service, Code of Conduct, and Addendum.

Worker to Leader - Mutual Auth TLS

ben.obryan Posts: 5

I opted to have “Authenticate client (mutual auth)” turned on, which is under Distributed Settings > TLS Settings on the leader, and I also read to make sure to put your certs outside $CRIBL_HOME due to the issue of every time a new config version would be pushed it would overwrite the directory and would remove the certs on the workers. So I placed the certs outside $CRIBL_HOME, and on each worker I had distributed and API TLS (each worker has their own cert) enabled and pointing to the same cert.

When I deployed a new config version to the workers, the distributed TLS cert would stay applied, but the API TLS cert would remove itself. This issue doesn’t allow me to access each worker independently via there DNS name using TLS/HTTPS. Is there a way to use the same TLS cert for both API and distributed? So that when a new config is deployed they both stay applied.


  • Jon Rust
    Jon Rust Posts: 402 mod

    To clarify, where are you configuring the Worker level API TLS?

    Not exactly what you asked for, but also check out Teleporting: When it's enabled you can connect to a Worker through the Leader GUI as if you were logged into the Worker directly.

  • ben.obryan
    ben.obryan Posts: 5

    I am configuring the Worker level API TLS from the leader node. I mainlly want to have the Worker API TLS enabled so that if the leader is down I will be able to access the workers independently.

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod

    To enable TLS on the workers, you need to enable it under the Worker Group settings.

    Can you check that you have it enabled under the Worker Group? This would be in the worker Group under Group Settings > General Settings > API Server Settings > TLS.

  • ben.obryan
    ben.obryan Posts: 5

    Well I would assume though that if the leader node was down that the Worker Group would be inaccessible from the Leader. Making the only way to access the workers would be accessing them independently. That's why I thought adding one cert per Worker (API TLS) directly on them would be the proper way of doing it, but whenever a new config is deployed they get removed.