Hi there.
I’ve been struggling with an issue to get vault working correctly using TLS. I’m not sure at all what I’m doing wrong, but I suspect that I have a lack of understanding on how it actually works. Sorry guys, this is my first time trying this, so please bear with me.
I’m running Ubuntu Server 22.04 and have installed and configured easy-rsa as my CA.
I’ve created a ca cert and added that to the /usr/local/share/ca-certificates/ directory and ran the “sudo update-ca-certificates” command. This all works correct as per my knowledge.
After that I used the following OpenSSL commands to first create a key and then thereafter create a csr:
- openssl genrsa -out vault.key
- openssl req -new -key vault.key -out vault.req -subj “/CN=vault.securotrax.com” -addext “subjectAltName = IP:0.0.0.0,DNS:vault.securotrax.com”
The next step is to sign the csr with the ca cert with the following 2 commands:
- ./easyrsa import-req /opt/sign-cert/vault.req vault-cert
- ./easyrsa sign-req server vault-cert
This creates the cert successfully.
Then I installed vault using the HashiCorp documentation and that runs perfectly.
I created the vault.hcl file with the following content:
storage “file” {
path = “./vault/data”
}
listener “tcp” {
address = “127.0.0.1:8200”
tls_cert_file = “/etc/ssl/certs/vault-cert.crt”
tls_key_file = "/etc/ssl/private/vault.key "
tls_client_ca_file = “/usr/local/share/ca-certificates/ca.crt”
}
api_addr = “https://vault.securotrax.com:8200”
ui = true
I’v also updated the /etc/hosts file to point vault.securotrax.com to 127.0.0.1.
Then I ran the following three commands:
- sudo systemctl enable vault.service
- sudo systemctl start vault.service
- sudo systemctl status vault.service
The last command returns the status of vault correctly. Except it throws the following warning: no api_addr
value specified in config or in VAULT_API_ADDR
Not sure if that warning is interfering. But I exported the variables nevertheless by using the following 2 commands:
- export VAULT_ADDR=‘https://vault.securotrax.com:8200’
- export VAULT_API_ADDR=‘https://vault.securotrax.com:8200’
Not sure if the above is correct?
Lastly I tried to run the operator command to initialise vault:
vault operator init
This fails drastically and throws this error message:
Get “https://vault.securotrax.com:8200/v1/sys/seal-status”: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match vault.securotrax.com
I’m sure my cert is not as expected. But I have no idea how to generate the cert so that it works correctly.
Any advice would definitely be helpful. Thanks in advance!