Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

Vault TLS Certificate authentication method #301

Open
MorganReid opened this issue Oct 8, 2022 · 0 comments
Open

Vault TLS Certificate authentication method #301

MorganReid opened this issue Oct 8, 2022 · 0 comments

Comments

@MorganReid
Copy link

Recently,I am learning about the authentication related knowledge of vault,and I plan to use the TLS Certificate Auth Method (API), but I have encountered some problems in the process of practice.
I have 4 self-generated certificates locally, clientCA.pem, serverCA.pem, client.pem and server.pem (cn is test.example.com). Here are the steps involved in the certificate.

1: My config.hcl file is as follows

listener "tcp" {
  address = "[::]:8200"
  tls_cert_file = "/certs/server.pem"
  tls_key_file  = "/certs/server.key"
  tls_disable = false
}

2: Create CA Certificate Role

    curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --cacert clientCA.pem \
    --data '{"display_name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/certs/test-ca

3: Login with TLS Certificate Method

    curl \
    --request POST \
    --cacert serverCA.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"

When executing the second step, an error will be reported,

curl: (60) SSL certificate problem: unable to get local issuer certificate

Then I log in via rootToken and operate on the Web interface. Created a test-ca role, the imported Certificate is clientCA.pem.
When executing the third cloth, an error is reported
curl:(60) SSL certificate problem: unable to get local issuer certificate
When I replace the serverCA.pem in the original command with server.pem, the error

{"errors":["invalid certificate or no client certificate supplied"]}

curl \
    --request POST \
    --cacert server.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"

When I went to the interface to change the Certificate of test-ca from clientCA.pem to client.pem, the modified curl was executed successfully.

curl \
    --request POST \
    --cacert server.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data".

Now I feel that I don't know the relationship between these certificates, and I have consulted a lot of documents, but I still do not understand it so far. I hope you can help me and provide me with a solution.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MorganReid