Hello! I try to create 2 node cluster with raft storage
My config:
ui = true
disable_mlock = trueservice_registration “consul” {
address = “127.0.0.1:8500”
service = “vault”
service_address = “”
}storage “raft” {
path = “/vault/data”
node_id = “vault_1”retry_join {
leader_api_addr = “https://vault1:8200”
leader_ca_cert = “/vault/ssl/rootCA.crt”
leader-client-cert = “/vault/ssl/vault1.crt”
leader-client-key = “/vault/ssl/vault1.key”
}
retry_join {
leader_api_addr = “https://vault2:8200”
leader_ca_cert = “/vault/ssl/rootCA.crt”
leader-client-cert = “/vault/ssl/vault2.crt”
leader-client-key = “/vault/ssl/vault2.key”
}
}listener “tcp” {
address = “EXTERNAL_IP:8200”
tls_disable = false
tls_cert_file = “/vault/ssl/vault1.crt”
tls_key_file = “/vault/ssl/vault1.key”
tls_client_ca_file = “/vault/ssl/rootCA.crt”
tls_require_and_verify_client_cert = false
tls_disable_client_certs = true
}listener “tcp” {
address = “127.0.0.1:8200”
tls_disable = false
tls_cert_file = “/vault/ssl/vault1.crt”
tls_key_file = “/vault/ssl/vault1.key”
tls_client_ca_file = “/vault/ssl/rootCA.crt”
tls_require_and_verify_client_cert = false
}api_addr = “https://127.0.0.1:8200”
cluster_addr = “https://vault1:8201”
log_level = “Debug”
First node is unsealed and work fine, but cant join second node. In logs i see this error:
x509: certificate signed by unknown authority
I also use this envs:
VAULT_CACERT=/vault/ssl/rootCA.crt
VAULT_SKIP_VERIFY=true
Manual for certs creation - https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
Fun things - if i init and unseal second node (create separate raft cluster) and then run
vault operator raft join “https://vault1:8200”
it show me Joined ok message, but not changes in peer-list command from first node.