Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": x509: certificate signed by unknown authority

mfaridi1978 · January 23, 2023, 7:56pm

I use ubuntu 22.04 for server, and install Vault with zip file on this server, and I want setup production mode, so I make crt file by this command

openssl req -out tls.crt -new -keyout tls.key -newkey rsa:4096 -nodes -sha256 -x509 -subj "/O=HashiCorp/CN=Vault" -addext "subjectAltName =IP:127.0.0.1,IP:192.168.90.76,DNS:vault.bank-id.local" -days 3650

and this my config.hcl

ui = true
mlock = true

disable_mlock = true

storage "file" {
path = "/home/mostafa/vault/data"
}

HTTP listener
listener "tcp" {
address = "127.0.0.1:8202"
tls_disable = "false"
}
HTTPS listener

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "false"
tls_cert_file = "/home/mostafa/vault/tls/tls.crt"
tls_key_file = "/home/mostafa/vault/tls/tls.key"
}

cluster_addr="http://127.0.0.1:8201"
api_addr="http://127.0.0.1:8200"

but when I run this command

sudo vault status

I see this error

Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": x509: certificate signed by unknown authority

where I make mistake?

stuart-c · January 23, 2023, 8:14pm

That is saying the CLI command doesn’t recognise the CA being used by your server. Take a look at the VAULT_CAPATH environment variable: Commands (CLI) | Vault | HashiCorp Developer

mfaridi1978 · January 24, 2023, 6:39am

Thanks,
Can I put this path config.hcl. ?
and I want put this run in boot system.

mfaridi1978 · January 24, 2023, 1:26pm

I run this command

export VAULT_CAPATH=/home/mostafa/vault/tls/tls.crt

but I see that error again.

Craig_S · January 24, 2023, 11:46pm

As you’re using a custom certificate you need to setup your environment variables for Vault.

#The hostname or IP address registered in your certificate for the SAN extension.
export VAULT_ADDR=<https://<hostname or IP address>:<port>

#The location of the certificate being used by vault server (can be found in vault.hcl config file)
export VAULT_CACERT=/home/mostafa/vault/tls/tls.crt

OR

#The root directory where your certificates are being stored (can be found in vault.hcl config file)
export VAULT_CAPATH=/home/mostafa/vault/tls/

mfaridi1978 · January 25, 2023, 6:07am

Thanks,
Is my config.hcl correct ?
Do I have too edit it. ?