Nomad 1.0 integration with Vault

Hello! I haven’t found anything yet that answers this specifically, so I’m hoping someone might have some insight.

tl;dr -> I’m getting a TLS bad certificate error when configuring the Nomad 1.0 agent to talk to Vault, and I’m not sure why. The setup I had was working with Nomad 0.12.9.

Background -> I’ve been testing a Nomad/Consul/Vault stack to replace a supervisord setup. Consul provides the SD, KV for Vault, and Nomad schedules the jobs. In our tests, we’ve been able to configure Nomad to talk to Vault (policies, token generation, etc) using self-signed SSL certs. We generated a single PEM file that contains the CA cert, host cert, and key. This PEM file was placed in both the Nomad and Vault configurations, and Nomad was able to communicate with Vault without issue. However, this is true when using Nomad 0.12.9 and Vault 1.3.3.

Problem -> since I started testing Nomad 1.0, I can’t get the agent to communicate with Vault correctly due to a TLS issue. The Vault stanza in the Nomad config hasn’t changed, and the Vault configuration hasn’t changed (both services are using the same PEM file). I’ve even tried the latest Vault version (1.6.1), and the same issue occurs. I’ve verified that the CN in the certificate is the same as what Nomad points to in the config.

I haven’t seen anything specific in the change logs for Nomad 1.0 related to TLS and integration with Vault. Is there anything else I need to consider or add in the Nomad agent configuration in order for this to work? I can provide any additional detail if needed. Thank you so much!

UPDATE: This has been resolved.

As this is a test environment, I’ve been generating self-signed certificates via OpenSSL. However, I did not include Subject Alternate Names while generating. It looks like I encountered an updated deprecation in Go 1.15 regarding the common name default when no SANs exist.

After including alternate names for IP/DNS when generating these certificates, I no longer encountered this issue.

1 Like