'hashicorps Vault cli "bad certificate" error after successful login
I'm trying to issue Vault commands with the cli from my local machine to my remote Vault server but keep getting a bad certificate error.
On the remote Vault server I
- created an admin policy as outlined here in
admin.hcl - wrote it with
vault policy write admin admin.hcl - enabled certificate authentication with
vault auth enable cert - associated the admin policy just created with a client admin certificate
admin-cert.crt:vault write auth/cert/certs/user display_name=admin policies=admin certificate=@vault/admin-cert.crt ttl=3600
Then on my local machine I was able to successfully login with this command
vault login -method=cert -ca-cert=CA.crt -client-cert=admin-cert.crt -client-key=client.key.pem name=user
which gave back a token. The output:
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.Q2NPAIRwhjNRJqvY8LscgSPy
token_accessor bQSI8zGJM4zspnlgvu2XEV1z
token_duration 1h
token_renewable true
token_policies ["admin" "default"]
identity_policies []
policies ["admin" "default"]
token_meta_authority_key_id n/a
token_meta_cert_name user
token_meta_common_name localhost.com
token_meta_serial_number 4285812225508508199151930131872257251014974781
token_meta_subject_key_id n/a
However any subsequent Vault cli commands from my local machine then get back a tls: bad certificate error. I don't think my certs are incorrect as I wouldn't have been able to complete the initial log in in the first place. Rather, it looks like I need to turn off the certificate authentication and use the token for my requests with the Vault cli because I am able to authenticate into the Vault UI with the token.
Solution 1:[1]
The -ca-cert argument value used is for the Vault TLS Listener CA certificate, and not the CA that issued the client authentication certificate. Your -client-cert is correct, and your -client-key is probably also correct, but your -ca-cert value should not be the one associated with the authentication engine itself.
Solution 2:[2]
The problem was in the configure file.
listener "tcp" {
address = "0.0.0.0:8200"
/*
* Configuration required for mutual TLS
*/
tls_min_version = "tls12"
tls_cert_file = "/home/ubuntu/vault/vault-cert.crt" // path to pem encoded server certificate
tls_key_file = "/home/ubuntu/vault/server.key.pem" // path to pem encoded server private key
tls_require_and_verify_client_cert = "true" // require client certificate from inbound requests
tls_client_ca_file = "/home/ubuntu/vault/client-CA.crt" // path to client CA cert used to validate client certs
The tls_require_and_verify_client_cert needed to be false instead of true. I guess this made requests go through mTLS authentication even after logging in and obtaining the Vault token. However the vault CLI commands other than login don't provide parameters to pass in the certificates needed for mTLS and so the requests failed with the tls: bad certificates error. Turning the mTLS requirement off allows for token authentication of the Vault requests after login.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | minh ly |