Cannot validate certificatebecause it doesn't contain any IP SANs

alon.h · October 27, 2023, 4:58am

Hey, im trying to setup vault over raft storage, with self signed open ssl ( for the raft),
the listener tcp is signed with regular signed certificate if that matters

No matter how many times i try to create certificates with openssl with IP SANS, i cannot get the server to server communication to work without getting the error of “cannot validate certificate for X.X.X.X because it doesn’t contain any IP SANs”

I attached to this message my certifcates specifications (the ones im trying to use for the raft)

This is how my vault config looks like on all 3 nodes ( next message )
ca-info.txt (5.6 KB)
fullchain-infor.txt (6.2 KB)

This is how my vault.hcl looks in all 3 nodes

listener "tcp" {
   address              = "0.0.0.0:8200"
   cluster_address      = "0.0.0.0:8201"
   tls_client_ca_file   = "{{ env "CERTS_PATH" }}/CARoot.pem"
   tls_cert_file        = "{{ env "CERTS_PATH" }}/public.pem"
   tls_key_file         = "{{ env "CERTS_PATH" }}/private.pem"
   tls_disable          = false
}


storage "raft" {
    node_id              = "{{ env "HOST_NAME" }}"                                        # SET NODE ID
    path                 = "C:\\tools\\Vault\\Data"                    # SET DATA FOLDER PATH


    retry_join {
        leader_api_addr = "https://192.168.252.75:8200"
        leader_ca_cert_file = "{{ env "CERTS_PATH" }}/CA.cert.pem"
        leader_client_cert_file = "{{ env "CERTS_PATH" }}/fullchain.pem"
        leader_client_key_file = "{{ env "CERTS_PATH" }}/server.key"
    }

    retry_join {
        leader_api_addr = "https://192.168.252.63:8200"
        leader_ca_cert_file = "{{ env "CERTS_PATH" }}/CA.cert.pem"
        leader_client_cert_file = "{{ env "CERTS_PATH" }}/fullchain.pem"
        leader_client_key_file = "{{ env "CERTS_PATH" }}/server.key"
    }

    retry_join {
        leader_api_addr = "https://192.168.252.91:8200"
        leader_ca_cert_file = "{{ env "CERTS_PATH" }}/CA.cert.pem"
        leader_client_cert_file = "{{ env "CERTS_PATH" }}/fullchain.pem"
        leader_client_key_file = "{{ env "CERTS_PATH" }}/server.key"
    }

}


cluster_addr            = "https://{{ env "IP" }}:8201"                #SET CLUSTER ADDRESS TO LOCAL HOST # IP OF SERVER
api_addr                = "https://alon-vault.labos.cloud:8200" # URL CUSTOMER
max_lease_ttl           = "10h"
default_lease_ttl       = "10h"
cluster_name            = "vaultcluster"
raw_storage_endpoint    = true
#disable_sealwrap        = true
disable_printable_check = true
disable_cache           = true
disable_mlock           = true
ui                      = true

Please advise !! <3

Regards,