Basic vault PKI use case not working

Vault
1

I have started a vault server in dev mode.

started pki engine at pki and an intermediate pki ca at pki_int

I have created a role:

vault write -address=“http://0.0.0.0:8200” pki_int/roles/acc1234_tenant3456_pog allowed_domains=www.vaultclient.com cn_validations=hostname enforce_hostnames=false allow_localhost=false allow_ip_sans=false

Reading it back:

/ # vault read pki_int/roles/acc1234_tenant3456_pog
Key Value

allow_any_name false
allow_bare_domains false
allow_glob_domains false
allow_ip_sans false
allow_localhost false
allow_subdomains false
allow_token_displayname false
allow_wildcard_certificates true
allowed_domains [www.vaultclient.com]
allowed_domains_template false
allowed_other_sans
allowed_serial_numbers
allowed_uri_sans
allowed_uri_sans_template false
basic_constraints_valid_for_non_ca false
client_flag true
cn_validations [hostname]
code_signing_flag false
country
email_protection_flag false
enforce_hostnames false
ext_key_usage
ext_key_usage_oids
generate_lease false
issuer_ref default
key_bits 2048
key_type rsa
key_usage [DigitalSignature KeyAgreement KeyEncipherment]
locality
max_ttl 0s
no_store false
not_after n/a
not_before_duration 30s
organization
ou
policy_identifiers
postal_code
province
require_cn true
server_flag true
signature_bits 256
street_address
ttl 0s
use_csr_common_name true
use_csr_sans true
use_pss false

But cannot generate certificate :

vault write -address=“http://0.0.0.0:8200” pki_int/issue/acc1234_tenant3456_pog common_name=www.vaultclient.com

Error writing data to pki_int/issue/acc1234_tenant3456_pog: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/pki_int/issue/acc1234_tenant3456_pog

Code: 400. Errors:

/ # vault write -address=“http://0.0.0.0:8200” pki_int/issue/acc1234_tenant3456_pog common_name=vaultclient

Error writing data to pki_int/issue/acc1234_tenant3456_pog: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/pki_int/issue/acc1234_tenant3456_pog

Code: 400. Errors:

  • common name vaultclient not allowed by this role

I have tried every single thing I can think of. Disabling cn_validations, enabling them back, disabling localhost, disabling ip_sans, use vaultclient, www.vaultclient.com, vault-client as allowed_domains to test for different formats etc …

This is a very basic use case. Why is vault not able to pass “vaultclient” == “vaultclient” ? What am I doing wrong.

2

Second test :

/ # vault write -address="http://0.0.0.0:8200" pki_int/roles/acc1234_tenant3456_pog allowed_domains=www.vaultclient.com cn_validations=disabled enforce_hostnames=false allow_localhost=false allow_ip_sans=
false
Success! Data written to: pki_int/roles/acc1234_tenant3456_pog

Reading the role back: cn_validations is disabled now.

/ # vault read pki_int/roles/acc1234_tenant3456_pog
Key                                   Value
---                                   -----
allow_any_name                        false
allow_bare_domains                    false
allow_glob_domains                    false
allow_ip_sans                         false
allow_localhost                       false
allow_subdomains                      false
allow_token_displayname               false
allow_wildcard_certificates           true
allowed_domains                       [www.vaultclient.com]
allowed_domains_template              false
allowed_other_sans                    []
allowed_serial_numbers                []
allowed_uri_sans                      []
allowed_uri_sans_template             false
basic_constraints_valid_for_non_ca    false
client_flag                           true
cn_validations                        [disabled]
code_signing_flag                     false
country                               []
email_protection_flag                 false
enforce_hostnames                     false
ext_key_usage                         []
ext_key_usage_oids                    []
generate_lease                        false
issuer_ref                            default
key_bits                              2048
key_type                              rsa
key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]
locality                              []
max_ttl                               0s
no_store                              false
not_after                             n/a
not_before_duration                   30s
organization                          []
ou                                    []
policy_identifiers                    []
postal_code                           []
province                              []
require_cn                            true
server_flag                           true
signature_bits                        256
street_address                        []
ttl                                   0s
use_csr_common_name                   true
use_csr_sans                          true
use_pss                               false

Testing it again:

/ # vault write -address="http://0.0.0.0:8200" pki_int/issue/acc1234_tenant3456_pog common_name=vaultclient
Error writing data to pki_int/issue/acc1234_tenant3456_pog: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/pki_int/issue/acc1234_tenant3456_pog
Code: 400. Errors:

* subject alternate name vaultclient not allowed by this role
/ # vault write -address="http://0.0.0.0:8200" pki_int/issue/acc1234_tenant3456_pog common_name=www.vaultclient.com
Error writing data to pki_int/issue/acc1234_tenant3456_pog: Error making API request.

URL: PUT http://0.0.0.0:8200/v1/pki_int/issue/acc1234_tenant3456_pog
Code: 400. Errors:

* subject alternate name www.vaultclient.com not allowed by this role
3

The only thing that seems to be working is if I set allow_localhost=true, and use localhost in common name field. Thats the only use case I am able to generate certificate when running vault dev mode. Is vault dev mode restricted to “localhost” domain only?

4 
 ==> Vault server configuration:
vault-server_1  | 
vault-server_1  |              Api Address: http://0.0.0.0:8200
vault-server_1  |                      Cgo: disabled
vault-server_1  |          Cluster Address: https://0.0.0.0:8201
vault-server_1  |    Environment Variables: GODEBUG, HOME, HOSTNAME, PATH, PWD, SHLVL, VAULT_ADDR, VAULT_API_ADDR, VAULT_DEV_ROOT_TOKEN_ID, affinity:container
vault-server_1  |               Go Version: go1.19.4
vault-server_1  |               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
vault-server_1  |                Log Level: info
vault-server_1  |                    Mlock: supported: true, enabled: false
vault-server_1  |            Recovery Mode: false
vault-server_1  |                  Storage: inmem
vault-server_1  |                  Version: Vault v1.12.3, built 2023-02-02T09:07:27Z
vault-server_1  |              Version Sha: 209b3dd99fe8ca320340d08c70cff5f620261f9b
5

allowed_domains works together with allow_bare_domains, allow_glob_domains, and allow_subdomains.

Since all three of those are set to false here, nothing is allowed.

6

Should I set atleast 2 to true? say allowed_domains + allow_bare_domains ?