When enabling auto_encrypt client config contains cert_file and key_file properties and the agent won't start. The template needs to exclude cert_file and key_file in clients mode if auto_encrypt is enabled.

I've also got this problem. I grabbed a copy of your PR, but made a couple changes/fixes to make it more complete.

In the last commit to your fork, you're missing a quote here (endyman@ad262a0#diff-32770839e59ae5da477388c7d674000df855dfcd601cc84471f8362bd24dd8ecR100) that causes the to_nice_json filter to mangle the output.

In the TLS task (https://github.com/ansible-community/ansible-consul/blob/master/tasks/tls.yml#L23-L41), I moved the cert and key tasks into a block that has the same conditional as the config template (except it's using consul_node_role instead of item.config_version) so that it won't break when it can't find the file to copy (which is how I'm using it).

My changes are sitting in a fork right now, but I'm glad to open a PR if someone wants it.