Only cli breaks if vault validates client certs

Hi all,

When add this config on the vault listener:

tls_require_and_verify_client_cert  = "true" 
tls_client_ca_file = "/etc/ssl/root_ca.pem"

I have imported client cert in windows i could access the UI and login via a token
But when i try to run the cli on the Linux machine, getting tls bad certificate, and this is the same cert just converted to pem.

Below issued by root_ca.pem


This wont work

export VAULT_ADDR=
export VAULT_CACERT=root_ca.pem
export VAULT_CLIENT_CERT=pub_key.pem
export VAULT_CLIENT_KEY=pvt_key.pem
vault login  xxxxxxxxxxx


Error authenticating: error looking up token: Get "": remote error: tls: bad certificate

If i comment out the following:

#tls_require_and_verify_client_cert  = "true" 
#tls_client_ca_file = "/etc/ssl/root_ca.pem"

And use the below it works:

export VAULT_ADDR=
export VAULT_CACERT=agent-ca.pem
export VAULT_CLIENT_CERT=mdc-cli.pem
export VAULT_CLIENT_KEY=mdc-cli-key.pem
vault login  xxxx

Is there a way to make the CLI works when tls_require_and_verify_client_cert = “true”?
I would like client get validated as well via the cli, as of now only the UI works when tls_require_and_verify_client_cert = “true”.


There is not enough information in this post for people reading it to tell what has gone wrong. It would be helpful if you disclosed the actual contents of all the certificates (not their private keys, of course).

I am also particularly confused that in the second part of your post you explain that you tried turning off the requirement for client certificates on the Vault server, and making the request with a new different client certificate? Given you just turned off the requirement for client certificates at all, what was the point of specifying a different client certificate?

(The answer of why you decided to do that may help in illuminating your CA architecture.)

I’m sorry, but you’re really not explaining yourself well… if you’ve turned off client certificate validation, then to me that directly implies you don’t need to provide a client certificate to be able to communicate with Vault, but you’re doing it anyway:

so I’m confused.

But anyway…

I see you telling Vault that client certificates need to be issued by root_ca.pem

… but using a client certificate issued by allit-SUBCA. Now, you haven’t provided the contents of root_ca.pem for me to be sure, but the naming sure does imply they are different CAs…

That is Ok is working now maxb :slight_smile: thank you, all certs are ok, i changed the file names probably typo only.