Having a hard time generating valid TLS certs for Vault

axsuul · June 20, 2021, 1:09am

Hello, I’ve been getting the same error when running a simple command like vault status no matter how I generated my TLS certs:

Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": x509: certificate signed by unknown authority

From the Vault logs themselves, it’s simply saying:

2021-06-19T17:45:18.097-0700 [INFO]  http: TLS handshake error from 127.0.0.1:45904: remote error: tls: bad certificate

My vault.hcl is:

listener "tcp" {
  tls_cert_file = "/etc/certs/cert.pem"
  tls_key_file  = "/etc/certs/cert-key.pem"
  tls_client_ca_file = "/etc/certs/ca.pem"
}

storage "consul" {
  # Assumes consul is running on the same node
  address = "127.0.0.1:8500"

  path = "vault/"
  token = "<REDACTED>"
}

Here’s how I’ve been generating my certs locally on my workstation.

# Generate CA
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-key.pem -out ca.pem

# Generate cert
openssl req -newkey rsa:4096 -nodes -keyout cert-key.pem -out cert-req.pem

# Sign cert
openssl x509 -req -in cert-req.pem -days 60 -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile ext.cnf

Note that ext.cnf is just

subjectAltName=IP:127.0.0.1

What am I doing wrong here? I’ve also pasted the actual certs I’ve generated below for further reference. Thanks, any help is much appreciated!

# ca.pem

-----BEGIN CERTIFICATE-----
MIIFGDCCAwACCQDBPG2uhOfA9jANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkxBMQswCQYDVQQKDAJMQTELMAkGA1UE
CwwCTGExCzAJBgNVBAMMAkxBMB4XDTIxMDYyMDAxMDUxOVoXDTIyMDYyMDAxMDUx
OVowTjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJMQTELMAkG
A1UECgwCTEExCzAJBgNVBAsMAkxhMQswCQYDVQQDDAJMQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBANi4cy0nhzMkBUf9soL/J3pq1VrbtXMaRyQY7EF5
POGcAx5kDyu/6aGA1+ds8Y6M6d9TaYCA2zO7nC42u/j9TqXL+1ozTebEqtfp+wDF
gAhf6BwL5iGHPnWTX/+NjjmuHzQZ6IzoFMerK9AuNoptim5/0juc0KK8WtIbzU5X
uyxt/KwcMjBEtEJgofZGErLFac7PzeJljsZdyzdwy4Q7+zekypldwn1+fdBkrG7z
jcVhN1nwImyPmsmiMqRd8iYThL1j21lA7/3os0a/Yu27Hbf/wl3pCwXRWBgZqSmD
cbkt2J8/sI53JIYG1iUFEDpXCPvC0AL0lcyJr6+qUSE7JyohMZznH16/8jw0Z254
9VdM7a7yI1418dX7lnItbTFwOE1ILeexgdIJwH1sfCDWRWOmBnUWf0JzjSRM4CWw
vsWkQq+jsiMT3K4KkEscVQKNGXBbQaroxxBuJ6x8IngF9Eoqyr26TO34+mVgNAHv
zF4chtazD5q1po5i27wRqAVSQi1oLz2/q7miKiJp2YNkwowgZDQ13l7Z9O4JmcdE
gTJ+ZGh01I6ygqvs/3kbsYV7pf5GiMjPSFYUbgGoq+enkMiYO2wgUDHFimH4CXr4
xgUevTeLENmIR7i0D+1yE6eRBz9z4xBiW31/ouG0fW2aFvI5ul3pYwlH+psllAee
xA7HAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAGSveRPqMhSNAIoQ+BCXnXytLZjd
xzeGAw2UHhDJbQL+bsykXPbUz5Np0U7+pEeCzNLMrVXf3A7wFZM4YNO6LJDjbaKI
/p7oIFOnHWBpyGvGBOFBJOyjqnlSyqAXl7naPanwD1m0BnuENb20BQYuVemBSoJl
hw+HhYZ9Et9isOXjKV5ghJLjtRh8qhHCyrOFLzmRep6OkRkEErTdDmQsrARL/Kda
HVGJGcpsEaFN3mXLS10mo91ITHU5mmHnR92sdGq+3/aC34mJfZzXZIqAMy3NuMLx
TlzVbLd0r2HNyRqWSxLQYuMlHU2uwL1i8nyjZK1TuvkmR1wuxC4BwlTKoUR6RnYT
qb5cwsDSV5b7rY6sj+hjvV5BUrPcEm9qYpa+OPHYo9ahynro9YZxcV1cN9yDGycn
hc5RzBOQijhQhaE4zu8kKq1jYiZUjUq6wx14HbHgwtE49JL9vNh+SXDIwZYfZw4H
6P6WE62KkLPrKMXDOP/hyNxi8MkJebVsk0xG17I3UHDiNMZOLGVEpf6OJE653kpg
GjhG/+Url3uO1DaiyubwnCCTLrSYKA5rPP7tVgU1N/AKAGVkD1Ap2+QWOGkjdWke
IrNIhryA5zFv1Zj6oRv2ilRvHNPmbBZtUQQ/QSzX3ZpwxoMVqRsfsOFc+Ibv11Rp
70L9sTaaObhdp4vi
-----END CERTIFICATE-----

# cert.pem

-----BEGIN CERTIFICATE-----
MIIFJDCCAwygAwIBAgIJAJBHTY81NqhlMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCTEExCzAJBgNVBAoMAkxBMQsw
CQYDVQQLDAJMYTELMAkGA1UEAwwCTEEwHhcNMjEwNjIwMDEwNjA5WhcNMjEwODE5
MDEwNjA5WjBAMQwwCgYDVQQIDANBU0QxDDAKBgNVBAcMA0FTRDEKMAgGA1UECgwB
QTEKMAgGA1UECwwBQTEKMAgGA1UEAwwBQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAJoAXZPWMDpv08Z4MpMV0fnEl6Vl4DkZHHHi4YIYpoLuJN4lsAcK
rvRL0Xk5NFl7iYeayRj9RwW583iGvOoANXcCtw+pLfnM0jzdJ1QUrEZUO+C4ddgg
XPecXRrE+7Ate0KAhiD4w5S8q9e8+MpNbSqAxkWB7FGX+3k1A2Qs/Vh8X4UrizUP
YM9S9A+kWefza+N3S078MIdxERxBxZkE1vDzv1lnPk/C7gP57zeR2LpwYM4GRE+K
GwZTk0syEYbi+oKoTtAO+IIJqNbL3jWphrBBbJoyxLQ66zul9yVCAYhhc24hyJjA
4Ql4UWj3U4J8HTfF0ItoGavz6+5KkH48ss5x5lQt7UtJ/E8LIJDu+T1JXl9qjxpO
wfSfa4wi118dJn6jRl45HGwECWoUQARmkiRm/C769FNXQroWn3DCP1GPKa5IN4Mn
/wowhqBFkmFUqtfxGjm+wdYjsaGREVPKvtCEY8170sAURSdcrxKzFu06bi64ZRex
p3vX3PRgxXu3Ssllsx8yLmf23WauzB1p4faW0PiXgyhH95QTkLNMF5NBxSOGt3nh
e8rVQAEvu3B08to7fSM7cAmjJj8dZhZei3GJacr2C6al/SiT9dtT2JV8waZzQ44x
IPQ9i8LVsvX/vdOmIQ9/WfmZ+EHFlmPfoGBEXSS5zMH2qGbcd5KFnZ8RAgMBAAGj
EzARMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQEFBQADggIBAG5kDXRMcYMy
JRVMBQjE11GSJrq8lg3JKfpar2THCcZRbLGLeG262Cilr4VfBkTgkfh1L88EzTvU
qugqwlftqup4CXr5fvPeXdagL9bG6xusmc01m33x6swsLxslMIclJHSsoJGh9IBi
9GCaH7bVF4fxKX/w4BT4UAz7IFSCqmXGE2MXyNC0HK8I/O0IkSxeeyg1ReiQV/qD
J7iU1X+FVy3tSvG3iIcVeYKmwPKpWwne5F8FHIk4VEHNyNX/MS7pCvoD0opKCoC3
8UKTX3dwPhj0Q//heY0NmItaE5GtbVSeTUmmEUWGT5OxivB57DGW3QNi1oFu7/in
GXFsHYyT0KLNXtDEJjzJ0CNa7QWn69/vf1515PTmufdaQ02FpazaArjtEF6cnB70
JAMfdhRBhiIzHx+YhkZ7QwM36CP1miYQ4ne8VmMOSB3Y8DW8Q68jsizC4BA/Tbfh
8dlI0LnMIEy3ZpI3YGVf/PfGUoVOA3RsrIOuWfVS4uSthYNPcvu0h/3GTPCMv1FJ
RotF+FwgfzP2tL37wEfmXQEnBk0waUOZHew7QPDfxTlS0SyLIokUSXW+JDpz6Rrw
h1MzoyBUNbCwJ2Qge8h8gu87LsJ6CZVhseT8Stlvv/69a2jI+4zURGCMFKzuhNzZ
QrGtRRFhhMhMxqpYU77gLgZoLAQRtmyT
-----END CERTIFICATE-----

# cert-key.pem

-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCaAF2T1jA6b9PG
eDKTFdH5xJelZeA5GRxx4uGCGKaC7iTeJbAHCq70S9F5OTRZe4mHmskY/UcFufN4
hrzqADV3ArcPqS35zNI83SdUFKxGVDvguHXYIFz3nF0axPuwLXtCgIYg+MOUvKvX
vPjKTW0qgMZFgexRl/t5NQNkLP1YfF+FK4s1D2DPUvQPpFnn82vjd0tO/DCHcREc
QcWZBNbw879ZZz5Pwu4D+e83kdi6cGDOBkRPihsGU5NLMhGG4vqCqE7QDviCCajW
y941qYawQWyaMsS0Ous7pfclQgGIYXNuIciYwOEJeFFo91OCfB03xdCLaBmr8+vu
SpB+PLLOceZULe1LSfxPCyCQ7vk9SV5fao8aTsH0n2uMItdfHSZ+o0ZeORxsBAlq
FEAEZpIkZvwu+vRTV0K6Fp9wwj9RjymuSDeDJ/8KMIagRZJhVKrX8Ro5vsHWI7Gh
kRFTyr7QhGPNe9LAFEUnXK8SsxbtOm4uuGUXsad719z0YMV7t0rJZbMfMi5n9t1m
rswdaeH2ltD4l4MoR/eUE5CzTBeTQcUjhrd54XvK1UABL7twdPLaO30jO3AJoyY/
HWYWXotxiWnK9gumpf0ok/XbU9iVfMGmc0OOMSD0PYvC1bL1/73TpiEPf1n5mfhB
xZZj36BgRF0kuczB9qhm3HeShZ2fEQIDAQABAoICADTIN0p6OOFufokhnUPoUKVo
igk4V5d6UdN+zYfHZxqtAJnbFO/0623zpoID5ztcKhD+LjqQZI1D5HzEwW76T1jQ
52lItOdPGieeLOKWi003haZJ0qoWvYZoY0jPhuwlSn/KiS431ODfoY45yJOd4fKV
XF9qXlLA4oHyd40YFmUDi8Ga4QV4lde5OMk7rUzgk3PM6VTS/tcNG64xpMYDcJ/5
CvZbenHf/7ABM8o6BKwx5Bv47eTNEuIiNvOo33T5yp6JjSmmV+pJ4UJtcWW3CuDS
K6TWDbEwGHvDMGfmrZvOur9eeOBSC08xm8V8L3UjkOgStp1xOotC+PQdPlTl/OpY
5g6mhjHTk8I/gSQQf3wEoFUslZ5X5Ef4lulAvqZNea+tt/3eTGsl2AAuLzARhx8u
sRLGs79hitqOk42waQ8w969+TtbobXlbHhLmqhdPOblEL8SUFuEEri8P1zZcBS6j
FqjkEvBASu/2Tg4+ce/cVBmG+Y4q8hStyK9R2YLs1e6Rj0Kj2sFFYbTMwtZkFHAc
4ZtXuGKMF38sNXE42cTonuE8PTGdzzIp3VbWK2mc0uJuQQ9PlFProqfvwYGzxrRY
OKvsbklGdCnngl3V2ZPC07RAU33CRzPQ+qdL1XSuebTSRUvRi3iWVMEzVyaK5dC+
cF1VIcZfNqJLrLtQVKK5AoIBAQDIr4kOWny97nk2vRCf3kGDSgRZkw0r/P2U6wtv
ssUpcRwsUKLLqZ3np3NyNxaZVJMlRGEsWwimIcqIKCESEcdLy8pDIOZAnWrOs4CG
L9C6rZnVWgRHgJadR1TDGR/ANY3+K4VzwA9SsAksyoXTgsUgG38OxUAK9HHXikey
1gtYm04X8QTMJ1o39SbbLyNv5A8IsLbvvCD93++bV0UPaC8aOmXqZuPBzOh39xhH
kvhL67PRpEz3qUH0GBsYEVMlxheO7Rrj2sR3TjmAHgc7Q7sIICuwBr1tDKH3MSTF
tfUO5fKIREmV4IxsWu/Fw92xUEIgg7tbyQSGncUV+WthN8C/AoIBAQDEcsUNsXvO
qbnNJap1lj9yseNAF0HABLi2UD/gnkObUDYjFN+fBbJA6I/gEI/hz1meWZ/+WKtw
Hgovu5ORvULZXUr1OEnlcIJzIcNmhcJYjvtv04eMgU9CCsu+jsF21f/8QWYz1uu1
2lFYd0rJpheS+OzC3ivNFOvHI9H247ycrO99poUhYPahiY+ODMSmmgqkmqhxAabX
pJYisaz8WVivQplgy2za53tv6cg/o4l1UF9/5QloRh0AmxTKKgHSiPIkGPB5d+nD
q/Gcg1x4ahLGbAPkLYrhyrfjfaYUlYkc/a4O6Hz79+i/Ov36tmXKPjSoXHrg+gM4
xvway9i38cQvAoIBAQCasq1s8hXMd0LbDjz9b1+C7BCUWAXETd3P6KvFK8JOItH7
2yDS6+o8A1m7xnlWMtrG1IIvpfDx14R/Fqf/fNLrO6mru3Wig3Ys5jQBvGQjMuUt
kJlR4O65SJ4vUnOmP+I39qaFxpxJOkeoTmmA1QJNsMRtx2GJ0ErdQsvoMJVIdVdq
nzD6iq9CCWktdpXTj7KDGW27OYMZEIFsdoZWzRHaHwAnA6832lOs/j2qFsHuDEBu
Lz/hfYjIt7hTAi/dI2lPlLiwwhfGe/dZKkyaw6guKFZk950XrbBAk5JsEcpY9KrT
ngg3T4QPlr3T7hs7rsl6tPE9XKRvfLjLKpw6sbaTAoIBAQDCYtKsDxB0Wav53CiE
/CxCQNWeaKTt7X4dIOFkURaSy9cV9aSlRUyyP62GSL0m8zc5onPXiUPyyDbKLrEC
CCXq0g7HAXDVsPPUGvewLfE2Eh2o9MXu+VFFB0u+fqHfBjisEsafyy4oHyRZBomh
aVFwZBJbbN4oq2f3AHHV/Fl5KwI78hdQBRNmmqjLJcU9GbYoVMUSNVEzlq/dGrUS
axJ/McZ1ajWHkoCpJ8q3dgohZGtrMWaSoLY4EDyNIu30tv/rSiZB+677qNuGRNGu
cT+syds74PjJHf/CAmXhfmpTno2qQNDTvua2uxfwCqZEbjNK2V/Z2GpxtyxlE4qZ
0YiPAoIBAQC61Pn9Ws5F/j/AhlNUhYuSoTxndqYNX3B4WtPpn8zqsTQhawPs4e1m
xl24VDGYSVzZBDGEg5eg8loaVmElV16OG2JJtpeHzeVUth4EVKN//4B5YCmeKxrG
67E9RHCk8HgfUZYezCF0k6mgiyiO6VKjqBdOROQC0ylSZSt34JyMn/FQE0YGVibw
rQUwamcZSG9vZ8scK2FWijaypmGLwsCT0oGJ1Ak6K1La1n2s6y4wZUf19ip+vv2W
e/krdojgh73SbdNo27eiqSmjoEO1aaK7/O0BOYxOGv2HDJ8YX0xVWMfHMvhMhdDd
3Ju9ufpxO2H2SaVNSR2asENDE4nwJdsg
-----END PRIVATE KEY-----

JWZ9vX · July 9, 2021, 8:06am

Hi, Did you fix the issue. I also face the same issue.

mikegreen · July 12, 2021, 4:30pm

Working cert sample in case this helps:

openssl req \
  -out tls.crt \
  -new  \
  -keyout tls.key \
  -newkey rsa:4096 \
  -nodes \
  -sha256 \
  -x509 \
  -subj "/O=HashiCorp/CN=Vault" \
  -days 1095 \
  -addext "subjectAltName = IP:192.168.1.230,IP:192.168.1.231"