Hey, im trying to setup vault over raft storage, with self signed open ssl ( for the raft),
the listener tcp is signed with regular signed certificate if that matters
No matter how many times i try to create certificates with openssl with IP SANS, i cannot get the server to server communication to work without getting the error of “cannot validate certificate for X.X.X.X because it doesn’t contain any IP SANs”
I attached to this message my certifcates specifications (the ones im trying to use for the raft)
This is how my vault config looks like on all 3 nodes ( next message )
ca-info.txt (5.6 KB)
fullchain-infor.txt (6.2 KB)
This is how my vault.hcl looks in all 3 nodes
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_client_ca_file = "{{ env "CERTS_PATH" }}/CARoot.pem"
tls_cert_file = "{{ env "CERTS_PATH" }}/public.pem"
tls_key_file = "{{ env "CERTS_PATH" }}/private.pem"
tls_disable = false
}
storage "raft" {
node_id = "{{ env "HOST_NAME" }}" # SET NODE ID
path = "C:\\tools\\Vault\\Data" # SET DATA FOLDER PATH
retry_join {
leader_api_addr = "https://192.168.252.75:8200"
leader_ca_cert_file = "{{ env "CERTS_PATH" }}/CA.cert.pem"
leader_client_cert_file = "{{ env "CERTS_PATH" }}/fullchain.pem"
leader_client_key_file = "{{ env "CERTS_PATH" }}/server.key"
}
retry_join {
leader_api_addr = "https://192.168.252.63:8200"
leader_ca_cert_file = "{{ env "CERTS_PATH" }}/CA.cert.pem"
leader_client_cert_file = "{{ env "CERTS_PATH" }}/fullchain.pem"
leader_client_key_file = "{{ env "CERTS_PATH" }}/server.key"
}
retry_join {
leader_api_addr = "https://192.168.252.91:8200"
leader_ca_cert_file = "{{ env "CERTS_PATH" }}/CA.cert.pem"
leader_client_cert_file = "{{ env "CERTS_PATH" }}/fullchain.pem"
leader_client_key_file = "{{ env "CERTS_PATH" }}/server.key"
}
}
cluster_addr = "https://{{ env "IP" }}:8201" #SET CLUSTER ADDRESS TO LOCAL HOST # IP OF SERVER
api_addr = "https://alon-vault.labos.cloud:8200" # URL CUSTOMER
max_lease_ttl = "10h"
default_lease_ttl = "10h"
cluster_name = "vaultcluster"
raw_storage_endpoint = true
#disable_sealwrap = true
disable_printable_check = true
disable_cache = true
disable_mlock = true
ui = true
Please advise !! <3
Regards,