Cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

I received this error after first run:
Error listing secrets engines: Get “https://127.0.0.1:8200/v1/sys/mounts”: x509: cannot validate certificate for 127.0.0.1 because it doesn’t contain any IP SANs

I cannot run vault command.
What may cause this?

The certificate you have defined in your server configuration on your vault server doesn’t include 127.0.0.1 as one of the valid names in the definition. If you generated the certificate take a look at your crt file to see what names it does have defined.

Hi,
Currently in internship I encounter the same problem. I would like to know if I need to change the address of my listener “tcp” to 127.0.0.1:8200. If I do this it is not likely to crash my config?

Change it in your config as so:

listener “tcp” {
address = “yourhostname.com:8200

}

yourhostname that has valid san in the cert.

I’m writing here for whomever sees this thread in case they’ve come across the same issue as I have:

@gokhan.kocak Your certificate needs to include “127.0.0.1” in the SAN (Subject Alternative Name). But it needs to have an IP Address type of record, not DNS. That’s why it’s called IP SAN. For instance:

            X509v3 Subject Alternative Name:
                DNS:*.node.company.internal, DNS:*.comp-dc-1.company.internal, DNS:localhost, IP Address:127.0.0.1

(openssl x509 -in cert.crt -noout -text)
If you happen to generate your certificate through openssl, you need to explicitly add it as such in the configuration file:

IP.1 = 127.0.0.1

Otherwise of course you’ll have to understand how the tool you’re working with can be configured to add an IP SAN.

If you are generating the certificate yourself using OpenSSL, you specify SAN in your command:
openssl ....... -subj "....." -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

1 Like