backport of commit 8d14e54

hashicorp · Nov 17, 2022 · c461de4 · c461de4
1 parent 26f3a88
commit c461de4
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/website/content/docs/release-notes/1.11.0.mdx b/website/content/docs/release-notes/1.11.0.mdx
@@ -104,7 +104,17 @@ Previously, KMIP did not support certain operations such as import, decrypt, enc
 
 ## Known issues
 
-There are no known issues documented for this release.
+If any version of Consul attempts to use Vault 1.11.0 or later as Consul’s Connect CA provider, the intermediate CA will become unable to issue the leaf certificates needed by:
+
+- Service mesh: Services in the mesh to communicate with mTLS
+- All use cases: Consul client agents if using [auto-encrypt](/consul/docs/agent/config/config-files#auto_encrypt) or [auto-config](/consul/docs/agent/config/config-files#auto_config), and using [TLS to communicate with Consul server agents](/consul/docs/agent/config/config-files#tls-configuration-reference)
+
+You are using the Vault CA provider if either of the following configurations exists:
+
+- The Consul server agent configuration option [connect.ca_provider](/consul/docs/agent/config/config-files#connect_ca_provider) is set to “vault”, or
+- The Consul on Kubernetes Helm Chart [global.secretsBackend.vault.connectCA](/consul/docs/k8s/helm#v-global-secretsbackend-vault-connectca) value is configured.
+
+-> **NOTE:** Refer to the [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more information about the underlying cause and recommended workaround.
 
 ## Feature Deprecations and EOL
 

diff --git a/website/content/docs/secrets/pki/index.mdx b/website/content/docs/secrets/pki/index.mdx
@@ -8,6 +8,14 @@ description: The PKI secrets engine for Vault generates TLS certificates.
 
 @include 'x509-sha1-deprecation.mdx'
 
+!> **Vault 1.11.0+ incompatible as Consul CA provider:** Do not use [Vault
+v1.11.0+](/vault/docs/release-notes/1.11.0#known-issues) as Consul’s Connect CA
+provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh,
+and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication.
+If you are already using Vault 1.11+ as a Connect CA, refer to this [Knowledge Base
+article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for
+more information about the underlying cause and recommended workaround.
+
 The PKI secrets engine generates dynamic X.509 certificates. With this secrets
 engine, services can get certificates without going through the usual manual
 process of generating a private key and CSR, submitting to a CA, and waiting for