Creating Vault TLS Cluster , operator join issue

Hello ,

I was following this guide : Standalone Server with TLS | Vault | HashiCorp Developer

Deployed Vault Helm 1.4.0 with Integrated Storage on my EKS cluster.
I cannot join the pods to the cluster via the vault-0.vault-internal dns name .
i get this error

2020-06-03T19:27:07.974Z [INFO] core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8200
2020-06-03T19:27:07.993Z [INFO] core: join attempt failed: error=“error during raft bootstrap init call: Put https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge: x509: certificate is valid for vault.vault.svc, not vault-0.vault-internal”
2020-06-03T19:27:07.993Z [ERROR] core: failed to join raft cluster: error=“failed to join any raft leader node”

it asks me to change the dns from vault-0.vault-internal to vault.vault.svc it means that i will join the cluster but after it hits the server (round robin).
i was trying to play with the csr and created this CSR Config (added *.vault-internal for the alternative name)

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault
DNS.2 = vault.vault
DNS.3 = vault.vault.svc
DNS.4 = vault.vault.svc.cluster.local
DNS.5 = *.vault-internal
IP.1 = 127.0.0.1

it checks the https with the common name i gave it when i created the csr.

openssl req -new -key TMPDIR/vault.key -subj “/CN=vault.vault.svc” -out TMPDIR/server.csr -config TMPDIR/csr.conf

Any ideas why i get this error ?
thank you :slight_smile:

To me it seems like you are trying to join to vault-0.vault-internal, but the certificate that this server possesses is issued for vault, vault.vault, vault.vault.svc, vault.vault.svc.cluster.local and *.vault-internal. My suggestion would be to add vault-0.vault-internal to your SANs.

1 Like