Error: "tls: bad certificate" when using a self-signed certificate

I followed the instructions here to set up a vault with a self-signed certificate and am getting this error when attempting to log in. Could anyone suggest possible causes and/or things I might check?

I’m not sure exactly what other details to provide, but I’m trying to log in from the same server on which the vault is running, and I’m using as my vault_addr.

Those instructions are quite dated. One thing that jumps out to me is that Go, if I’m remembering correctly, dropped support for the CN attribute in the CSR template a while back and you need to include your subject in the SANs list only.

I’m not sure this will address your issue but is worth a try to eliminate a potential issue.

Alternatively, HashiCorp’s guide might be a better one to follow as it’s probably a bit more with the times as a lot has changed since 2015 (~ Vault v0.4.0): Vault with Integrated Storage Deployment Guide | Vault - HashiCorp Learn

CN was deprecated in Go 1.15 Go 1.15 Release Notes - The Go Programming Language
which means it impacts Vault 1.6.0 and newer: vault/ at main · hashicorp/vault · GitHub

Thanks, Jeff. I tried to follow the instructions there, which told me that I should be able to use a certificate / key generated as part of installation. That didn’t work because I need SANs, so I regenerated my certificate and now I’m getting “certificate signed by unknown authority”, which I thought I had solved before by adding CA:TRUE to basicConstraints. Not quite sure where to go from here, in case you have any other thoughts.

Using -tls-skip-verify got me past this. Hopefully this is a reasonable thing to do on internal servers.

You don’t have much choice, if you want the cert to be checked (which really it should be) then you either need to run your own CA (PKI/PKI Int within Vault) and distribute the cert to each of the clients. Or you need to go an outside to someone like letsencrypt to get a cert that would be verifiable. We go with the self-hosted-CA but your mileage may vary depending on how easy it is to distribute the CA cert.

1 Like