Enable authentication VAULT SSO with OCID Azure

diegofaleirosdossant · April 2, 2023, 2:19pm

Good morning!

I’m trying to integrate my VAULT vault with my AD in AZURE to effect Single Sign ON for my users when they log into the vault. However, when making the configurations on the side of the vault, I get the following error:

Error writing data to auth/oidc/config: Put “https://127.0.0.1:8200/v1/auth/oidc/config”: http: server gave HTTP response to HTTPS client

I get this error when trying to write the oidc configuration:

vault write auth/oidc/config
oidc_client_id=“clientID”
oidc_client_secret=“clientSecret”
default_role=“azure_role”
oidc_discovery_url=“microsoft_address”

Below is my .hcl configuration:

store “file” {
path=“/opt/vault/data”
}

HTTP listener

listener “tcp” {
address=“IP-server:8200”
tls_disable = 1
}

disable_mlock = true
api_addr = “https://IP-server:8200”

I ask for your help because I’ve tried several options and I keep getting errors.

Thank you very much!

macmiranda · April 2, 2023, 2:45pm

This seems pretty clear to me

TLS is disabled

maxb · April 2, 2023, 2:46pm

Your vault CLI is set to talk to https://127.0.0.1:8200 (possibly as an implicit default) but your Vault is set up for http, not https. You need to set the VAULT_ADDR environment correctly, so the vault CLI knows what URL to talk to.

diegofaleirosdossant · April 4, 2023, 5:00pm

I made some changes to my .hcl settings. I followed the following steps

1 - I registered the environment variable with the ip of my vault: export VAULT_ADDR=https://ip-server:8200

2 - I registered the environment variables with the root token: export VAULT_TOKEN=hvs.LXIWRMvQJmx4rFNFpzscZ3G3

My vault.hcl looks like this:

Full configuration options can be found at Server Configuration | Vault | HashiCorp Developer

ui = true

#mlock = true
disable_mlock = true

store “file” {
path=“/opt/vault/data”
}

HTTPS listener

listener “tcp” {
address=“0.0.0.0:8200”
tls_cert_file = “/opt/vault/tls/tls.crt”
tls_key_file = “/opt/vault/tls/tls.key”
}

api_addr = “https://ip-server:8200”

But when trying to issue the command “vault write auth/oidc/config” with the OICD connection data, I get the following error:

Error writing data to auth/oidc/config: Put “https://ip-server:8200/v1/auth/oidc/config”: tls: failed to verify certificate: x509: cannot validate certificate for ip-server because it doesn’t 't contain any IP SANs

maxb · April 4, 2023, 5:48pm

If you want to use https, you need to make a certificate that is actually valid for the IP or hostname you will be using in the URL.

If you don’t want to procure such a certificate, turn off TLS and use plain http.