Hashicorp vault cluster TLS errors

dino.daniel · October 31, 2023, 3:22pm

Hi all,

Guidance on setting up Vault cluster

I am unable to setup a Vault cluster using raft storage. My issue is the cluster is not forming with self signed certificate
I get below errors while starting the vault service

Oct 31 11:13:43 node01 vault[63751]: 2023-10-31T11:13:43.271-0400 [INFO]  core: attempting to join possible raft leader node: leader_addr=https://node03:8200
Oct 31 11:13:43 node01 vault[63751]: 2023-10-31T11:13:43.272-0400 [INFO]  core: attempting to join possible raft leader node: leader_addr=https://node02:8200
Oct 31 11:13:43 node01 vault[63751]: 2023-10-31T11:13:43.280-0400 [ERROR] core: failed to get raft challenge: leader_addr=https://node03:8200 error="error during raft bootstrap init call: Put \"https://node03:8200/v1/sys/storage/raft/bootstrap/challenge\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
Oct 31 11:13:43 node01 vault[63751]: 2023-10-31T11:13:43.284-0400 [ERROR] core: failed to get raft challenge: leader_addr=https://node02:8200 error="error during raft bootstrap init call: Put \"https://node02:8200/v1/sys/storage/raft/bootstrap/challenge\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
Oct 31 11:13:43 node01 vault[63751]: 2023-10-31T11:13:43.284-0400 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
Oct 31 11:13:44 node01 vault[63751]: 2023-10-31T11:13:44.419-0400 [INFO]  http: TLS handshake error from 10.25.5.93:36444: remote error: tls: bad certificate

My config on all nodes are like below

storage "raft" {
    path = "/var/data/vault/data"
    node_id = "node01"
    retry_join
    {
        leader_api_addr = "https://node02:8200"
        leader_client_cert_file = "/opt/vault/tls/node02_2023_24.crt"
        leader_client_key_file = "/opt/vault/tls/node02_2023_24.key"
    }
    retry_join
    {
        leader_api_addr = "https://node03:8200"
        leader_client_cert_file = "/opt/vault/tls/node03_2023_24.crt"
        leader_client_key_file = "/opt/vault/tls/node03_2023_24.key"
    }
}

listener "tcp" {
   address = "0.0.0.0:8200"
   tls_cert_file = "/opt/vault/tls/node01_2023_24.crt"
   tls_key_file = "/opt/vault/tls/node01_2023_24.key"

}
api_addr = "https://node01:8200"
cluster_addr = "https://node01:8201"
disable_mlock = true
ui = true
log_level = "trace"
disable_cache = true
cluster_name = "Vaultcluster"

Please advise what I am doing wrong. I generated certificate using openssl commands

Eg: openssl x509 -req -extfile <(printf “subjectAltName=DNS:node01,IP:127.0.0.1”) -days 365 -in node01_2023_24.csr -signkey node01_2023_24.key -out node01_2023_24.crt

mohamedmshokry · May 29, 2024, 5:02pm

@dino.daniel Did you manage to know the root cause?

dino.daniel · May 29, 2024, 5:52pm

Hi Mohammedmshokry, I had to rebuild again. Below link helped