I am attempting to configure Vault with Postgresql as its storage with a mutual TLS connection. I am using Vault version 1.9.3 and Posgresql 13.
The storage stanza of the Vault config.hcl is as follows:
storage “postgresql” {
connection_url = “postgres://vault:{password}@{edb-ip-address}:5444/vaultdb?sslmode=verify-ca&sslrootcert=/etc/vault/root.pem&sslcert=/etc/vault/vault_cert.pem&sslkey=/etc/vault/vault_key.pem”
table = “vault_kv_store”
max_parallel = “128”
ha_enabled = “true”
ha_table = “vault_ha_locks”
}
I am unsure what certificate should be set as the sslrootcert. My thought would have been the issuing CA, but when using this or the root CA I get the following error:
Error initializing storage of type postgresql: failed to check for native upsert: pq: couldn’t parse pem in sslrootcert.
I tried to work around this by setting sslrootcert as the Postgresql server certificate, which gives the error:
Error initializing storage of type postgresql: failed to check for native upsert: pq: client certificate can only be checked if a root certificate store is available.
On the Postgresql side, the pg_hba.conf was updated to:
hostssl | all | all | <vault_server_ip> | 255.255.255.255 | scram-sha-256 clientcert=verify-full
I’ve issued certificates for the Postgresql database and stored the server.crt and server.key files in the $PGDATA directory. It is my understanding these are the default values for the certificate and private key and would not need to be set in the postgresql.conf file.
In postgresql.conf, these parameters were added:
ssl = on
ssl_ca_file = root.crt
The root.crt contains the Vault server’s issuing CA.
Any assistance would be appreciated.