My configuration file looks like this:
root@docker-agent:~# cat /etc/vault.d/vault.hcl
cluster_addr = "https://12.0.0.40:8201"
api_addr = "https://12.0.0.40:8200"
cluster_name = "Vault-Test"
disable_mlock = true
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/root/vault/certs.d/vault-cert.pem"
tls_key_file = "/root/vault/certs.d/vault-key.pem"
tls_client_ca_file = "/root/vault/certs.d/vault-ca.pem"
}
storage "raft" {
path = "/opt/vault/data"
node_id = "node-1"
retry_join {
leader_tls_servername = "vault.xxxxx.com"
leader_api_addr = "https://12.0.0.40:8200"
leader_ca_cert_file = "/root/vault/certs.d/vault-ca.pem"
leader_client_cert_file = "/root/vault/certs.d/vault-cert.pem"
leader_client_key_file = "/root/vault/certs.d/vault-key.pem"
}
}
When I execute vault status, I get this error:
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
Then I performed the following
export VAULT_ADDR='https://vault.xxxx.com:8200'
export VAULT_CAPATH='/root/vault/certs.d/vault-cert.pem'
It returns the correct result
root@docker-agent:~# vault status
Key Value
--- -----
Seal Type shamir
Initialized false
Sealed true
Total Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.15.6
Build Date 2024-02-28T17:07:34Z
Storage Type raft
HA Enabled true
I don’t want to use export at the moment, what should I do?