Issues with TLS configuration for Vault

Hi there.

I’ve been struggling with an issue to get vault working correctly using TLS. I’m not sure at all what I’m doing wrong, but I suspect that I have a lack of understanding on how it actually works. Sorry guys, this is my first time trying this, so please bear with me.

I’m running Ubuntu Server 22.04 and have installed and configured easy-rsa as my CA.
I’ve created a ca cert and added that to the /usr/local/share/ca-certificates/ directory and ran the “sudo update-ca-certificates” command. This all works correct as per my knowledge.

After that I used the following OpenSSL commands to first create a key and then thereafter create a csr:

  1. openssl genrsa -out vault.key
  2. openssl req -new -key vault.key -out vault.req -subj “/CN=vault.securotrax.com” -addext “subjectAltName = IP:0.0.0.0,DNS:vault.securotrax.com”

The next step is to sign the csr with the ca cert with the following 2 commands:

  1. ./easyrsa import-req /opt/sign-cert/vault.req vault-cert
  2. ./easyrsa sign-req server vault-cert

This creates the cert successfully.

Then I installed vault using the HashiCorp documentation and that runs perfectly.

I created the vault.hcl file with the following content:
storage “file” {
path = “./vault/data”
}

listener “tcp” {
address = “127.0.0.1:8200”
tls_cert_file = “/etc/ssl/certs/vault-cert.crt”
tls_key_file = "/etc/ssl/private/vault.key "
tls_client_ca_file = “/usr/local/share/ca-certificates/ca.crt”
}

api_addr = “https://vault.securotrax.com:8200
ui = true

I’v also updated the /etc/hosts file to point vault.securotrax.com to 127.0.0.1.

Then I ran the following three commands:

  1. sudo systemctl enable vault.service
  2. sudo systemctl start vault.service
  3. sudo systemctl status vault.service

The last command returns the status of vault correctly. Except it throws the following warning: no api_addr value specified in config or in VAULT_API_ADDR

Not sure if that warning is interfering. But I exported the variables nevertheless by using the following 2 commands:

  1. export VAULT_ADDR=‘https://vault.securotrax.com:8200
  2. export VAULT_API_ADDR=‘https://vault.securotrax.com:8200

Not sure if the above is correct?

Lastly I tried to run the operator command to initialise vault:
vault operator init

This fails drastically and throws this error message:
Get “https://vault.securotrax.com:8200/v1/sys/seal-status”: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match vault.securotrax.com

I’m sure my cert is not as expected. But I have no idea how to generate the cert so that it works correctly.

Any advice would definitely be helpful. Thanks in advance!

1 Like

It is bizarre to include the wildcard IP address in an Subject Alternative Name.

I am not familiar with easyrsa, but it is quite common for CAs to not trust extensions in CSRs unless specifically configured to do so. This might mean the Subject Alternative Name is not present in the final certificate. You should show us the actual certificate produced.

For clarity, do not set options that relate to TLS client certificates unless you actually intend to go beyond a basic TLS setup and implement client certificates. This option is irrelevant to a basic TLS setup.

Since Vault says there’s no api_addr in your config, but you have one:

this calls into question whether Vault is being pointed to the correct configuration file.

Do not set this. It is only relevant in the environment of the Vault server and then only for the purpose of overriding the api_addr stated in the configuration file. Mainly it is intended for running Vault in Kubernetes and having Kubernetes feed the appropriate api_addr value in without needing to write it in the configuration file.

Thank you so much for you answer! It pointed me in a direction and I managed to figure it out eventually. You’ve been a great help, Thank you!

Have you managed to resolve this then?

Yes thank you… I needed to update my vault.service file to utilise the correct hcl file.