Need help for vault https access with self-signed certificate

Ezzmazz · November 9, 2020, 2:12pm

Hello,

I try to learn how to use Vault by creating a local virtual machine ( ubuntu 20.04 ) and a container with docker-compose.

So I run Vault from container built with docker-compose. I’ve access to the UI/API but I want to put it in https with SSL certificat from openssl.

Here my configuration :

Docker-compose.yaml :

version: '3.6'

services:

  vault:
    build:
      context: ./vault
      dockerfile: Dockerfile
    ports:
      - 8200:8200
    volumes:
      - ./vault/config:/vault/config
      - ./vault/policies:/vault/policies
      - ./vault/data:/vault/data
      - ./vault/logs:/vault/logs
      - ./vault/volume_test/:/vault/volume_test
    environment:
      - VAULT_ADDR=http://192.168.56.8:8200
    command: server -config=/vault/config/vault-config.json
    cap_add:
      - IPC_LOCK

My dockerfile :

# base image
FROM alpine:3.7

# set vault version
ENV VAULT_VERSION 0.10.3

# create a new directory
RUN mkdir /vault

# download dependencies
RUN apk --no-cache add \
      bash \
      ca-certificates \
      wget

# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
    unzip /tmp/vault.zip -d /vault && \
    rm -f /tmp/vault.zip && \
    chmod +x /vault

# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"

# add the config file
COPY ./config/vault-config.json /vault/config/vault-config.json

# expose port 8080
EXPOSE 8200

# run vault
ENTRYPOINT ["vault"]

My vault- conf.json file :

{
  "backend": {
    "file": {
      "path": "vault/data"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": 1
    }
  },
  "ui": true
}

With these files, all is working properly.

Here what I’ve try for https :

apt-get install openssl

openssl genrsa -aes256 -out certificat.key 4096

mv certificat.key certificat.key.lock

openssl rsa -in certificat.key.lock -out certificat.key

openssl req -new -key certificat.key.lock -out certificat.csr

openssl x509 -req -days 365 -in certificat.csr -signkey certificat.key.lock -out certificat.crt

And I’ve add the path of my .crt and .key in my vault-configuration.json file :

{
  "backend": {
    "file": {
      "path": "vault/data"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_cert_file": "/path/to/my/certificat.crt",
      "tls_key_file": "/path/to/my/key.crt"
  },
  "ui": true
}

And after that, I run my docker-compose command to build my container. But it’s not work.

But I think is not the good way to do that

Someone to tell me how to do that with openssl ?

Thanks !