Error checking jwks_ca_pem

Bonjour, :wave:

Before apocalypse of Nomad 1.9 with Vault integration. I try to understand the vault token remplacement by workload identity.

So I follow this tutorial: Vault ACL with Nomad Workload Identities | Nomad | HashiCorp Developer

I deployed a dev hashistack with TLS and ACL and future old vault token in configuration.

I can create with auth method vault auth enable -path 'jwt-nomad' 'jwt'

But for next step, I’m stuck.

vault write auth/jwt-nomad/config '@vault-auth-method-jwt-nomad.json':

Error writing data to auth/jwt-nomad/config: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/jwt-nomad/config
Code: 400. Errors:

* error checking jwks URL

Because, my stack is already with TLS, I tried this changes:

{
  "jwks_url": "https://127.0.0.1:4646/.well-known/jwks.json",
  "jwks_ca_pem": "/etc/ssl/hashistack/hashistack-ca.pem",
  "jwt_supported_algs": ["RS256", "EdDSA"],
  "default_role": "nomad-workloads"
}

I added https to jwk_urls and added jwks_ca_pem

But, new error:

Error writing data to auth/jwt-nomad/config: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/jwt-nomad/config
Code: 400. Errors:

* error checking jwks_ca_pem

I don’t understand, I tried with differents certs form Vault, Nomad instead of jwt_ca_pem. But… Same error.

When I tried: curl https://127.0.0.1:4646/.well-known/jwks.json --cacert /etc/ssl/hashistack/hashistack-ca.pem
It works:

{"keys":[{"use":"sig","kty":"RSA","kid":"78fc6cea-e858-b17c-0f85-49cc752c9c80","alg":"RS256","n":"ybJyDkfWd9vvW0lSRP7T_XAjCqh6LMAsclkm0Yb-1KbjMsXHj2QTcweaC4RnypqDXGQLKRdDA9ZyKZAQ94UcSXKlsZaR9Xjjrz4NDb4nFdv_41Pnp-r0cbVzuc1yiGMP_UlNhFzSaMQlDb_g-l1C166Vd8KcgcG2BqnpTywwJf2pmejJeXjMbuRtdb9Udlx32YWlgf1r2YPqUjqsk1coZ4u4z1oZ5N-SQBHlGut7c59iwDlPoJP1BhjVc_HB2SAbMRdVwSl_0qBCVKIIwMTGu0DDn2b2MvqJI2tN4XxRS381jZqgzU0-VWhGhzAK7gV5ad6xLYoneZShydiBMWYEFw","e":"AQAB"}]}

What is the solution?

Thanks, Have great days/holidays! :santa: :christmas_tree:

I found solution with this topic: Vault & JWT authentication method - #4 by maciejkonigsman

Thanks to @maciejkonigsman ! :partying_face:

Remove line

  "jwks_ca_pem": "/etc/ssl/hashistack/hashistack-ca.pem",

from vault-auth-method-jwt-nomad.json

and

vault write auth/jwt-nomad/config '@vault-auth-method-jwt-nomad.json' jwks_ca_pem=@/etc/ssl/hashistack/hashistack-ca.pem
Success! Data written to: auth/jwt-nomad/config

But if someone have an idea to put in .json file. I find it cleaner.

Thanks