Jared Kirschner

> If cross signing isn't set during this operation the API rejects it Do you get any relevant log messages when the rejection occurs? Both the Vault and Consul CA...

@reskin89: When you do circle back to this, I thought of a reason why the API might reject the cross-sign request. The Vault ACL token that Consul's Vault CA provider...

@reskin89 : Were the secondary datacenters (with WAN federation) previously coming up fine? The agent TLS PKI is separate from the service mesh PKI, so I wouldn't expect a change...

@reskin89 : The [document you followed](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) is about the agent TLS PKI, which is what Consul server and client agents use to authenticate with each other for RPC communication. That's...

@reskin89 : Just to confirm, did you change the service mesh CA config by calling the CLI or [API endpoint](https://developer.hashicorp.com/consul/api-docs/connect/ca#update-ca-configuration)? Or by changing the agent configuration [ca_config](https://developer.hashicorp.com/consul/docs/agent/config/config-files#connect_ca_config) stanza? I ask...

@nathancoleman : Out of curiosity, what happens if you just add arbitrary key/values to the objects in the `Services` array? I suspect there might just not be validation on adding...

Related to this general issue about improving "ACL not found" error messages: https://github.com/hashicorp/consul/issues/12517

The leadership transfer command will be available starting in Consul 1.15.0!

Hi all, I was just reminded of this issue because of @Ca7Ac1 's latest comment. Thank you for the multiple offers to contribute to this issue! Let me think about...

@im2nguyen, @trujillo-adam: This is finally ready for education team review!