I am following the tutorial on Vault - Nomad integration with workload identities. I use my own certificates and also use client certificates.
When I try to write this file with the command vault write auth/jwt-nomad/config ‘@vault-auth-method-jwt-nomad.json’
{
"jwks_url": "https://<my-server-url>:4646/.well-known/jwks.json",
"jwt_supported_algs": ["RS256", "EdDSA"],
"default_role": "nomad-workloads"
}
I get tls: failed to verify certificate: x509: certificate signed by unknown authority.
That is alright because I am using custom certificates so I managed to overcome this by using jwks_ca_pem=@/path/to/my/CA.pem
so the full command I use is
vault write auth/jwt-nomad/config ‘@vault-auth-method-jwt-nomad.json’ jwks_ca_pem=@/path/to/my/CA.pem
But now I get this error on my Vault logs because of the client certificate that Vault needs in order to communicate with Nomad:
Jan 11 14:57:14 sh[943]: 2025-01-11T14:57:14.772+0200 [ERROR] auth.jwt.auth_jwt_dc7f553c: error checking jwks URL: url=my-server-url:4646/.well-known/jwks.json error=“fetching keys oidc: get keys failed Get "my-server-url:4646/.well-known/jwks.json": remote error: tls: certificate required”
How do I overcome this? I’ve searched everywhere…