Skip to content
This repository was archived by the owner on Dec 6, 2023. It is now read-only.

Vault TLS Certificate authentication method #301

Open
Open
Vault TLS Certificate authentication method#301
@MorganReid

Description

@MorganReid
MorganReid
opened on Oct 8, 2022

Recently,I am learning about the authentication related knowledge of vault,and I plan to use the TLS Certificate Auth Method (API), but I have encountered some problems in the process of practice.
I have 4 self-generated certificates locally, clientCA.pem, serverCA.pem, client.pem and server.pem (cn is test.example.com). Here are the steps involved in the certificate.

1: My config.hcl file is as follows

listener "tcp" {
  address = "[::]:8200"
  tls_cert_file = "/certs/server.pem"
  tls_key_file  = "/certs/server.key"
  tls_disable = false
}

2: Create CA Certificate Role

    curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --cacert clientCA.pem \
    --data '{"display_name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/certs/test-ca

3: Login with TLS Certificate Method

    curl \
    --request POST \
    --cacert serverCA.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"

When executing the second step, an error will be reported,

curl: (60) SSL certificate problem: unable to get local issuer certificate

Then I log in via rootToken and operate on the Web interface. Created a test-ca role, the imported Certificate is clientCA.pem.
When executing the third cloth, an error is reported
curl:(60) SSL certificate problem: unable to get local issuer certificate
When I replace the serverCA.pem in the original command with server.pem, the error

{"errors":["invalid certificate or no client certificate supplied"]}

curl \
    --request POST \
    --cacert server.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"

When I went to the interface to change the Certificate of test-ca from clientCA.pem to client.pem, the modified curl was executed successfully.

curl \
    --request POST \
    --cacert server.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data".

Now I feel that I don't know the relationship between these certificates, and I have consulted a lot of documents, but I still do not understand it so far. I hope you can help me and provide me with a solution.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions