I’m attempting to use TLS client auth using a chain from root CA (self-signed, trusted on vault servers and client machines) → intermediate CA (vault’s PKI) → client cert. I am setting up a cert endpoint on the tls auth backend and feeding it my root CA’s cert, and logging in passing a full chain (client cert, interm CA, root CA), but this fails. HOWEVER, if I feed the INTERMEDIATE CA to Vault’s auth endpoint, and then attempt logging in with the same chain, it works fine.
For details see this paste detailing the certs I’m using, and what the results are, first making the attempt with the root CA on the endpoint, then with the intermediate.
Based on the docs at TLS Certificate - Auth Methods - HTTP API | Vault by HashiCorp, quote “If there is a valid chain to a CA configured in the method and all role constraints are matched, a token will be issued.”, I’m understanding that what I’m attempting is legit, and it should be working …
Am I misunderstanding the docs here, or perhaps I’m just bad at TLS (which is a strong possibility :D) ? Can anyone help troubleshoot this ?