Problem with cert in Consul Engine

IvanNazarenko · July 27, 2020, 7:38am

Hello everyone, i am newbie in vault. I have a 1 nodes with Vault and 1 nodes with Consul which working using TLS on 1 host. I used vault pki engine for this and i want to enable consul engine in Vault for generate consul token i make which showed in this guide:

Consul - Secrets Engines | Vault | HashiCorp Developer

Besides in command vault write consul/config/access/ added parameters for configure tls connections:
scheme=https
ca_file=/etc/consul.d/ssl/ca.pem
client_cert=/etc/consul.d/ssl/cert.pem
client_key=/etc/consul.d/ssl/pk.pem
*certificates which vault using to connect with consul

When i try read credentials i got a message:

vault read consul/creds/apache
Error reading from: consul/creds/apache.
URL: /v1/consul/creds/apache
Code: 500
Errors:
1 error occurred:
* tls: failed to find any PEM data in certificate input

Maybe i incorrectly added cert in config consul engine? I tried added in string format but got the same mistake.

dmitryzarubin · November 3, 2021, 6:10pm

I had the same problem.

Look at this issue:

github.com/hashicorp/vault

Can't issue a consul token using a consul secret engine

opened 09:31PM - 02 Nov 21 UTC

dmitryzarubin

secret/consul waiting-for-response

**Describe the bug** Hello. I can't issue a consul token using a consul secre…t engine. **To Reproduce** Steps to reproduce the behavior: 1. Run Vault in docker container using the official image (all the commands below were executed inside the vault container) 2. Run Consul in docker container using the official image 3. I used vault pki engine to generate certs for vault and consul. All certs were stored into ../Config/ folder and added as a volume to docker container (path in the container is /vault/config/) 4. I enabled and configured a consul secret engine: ``` vault secrets enable consul vault write consul/config/access \ address=https://169.254.1.1:8551 \ scheme=https \ ca_cert=/vault/config/consul-ca.crt \ client_cert=/vault/config/dc1-consul-tls.crt \ client_key=/vault/config/dc1-consul-tls-key.key \ token=a8a463c5-a284-8f0e-9595-86218b40cd7d vault write consul/roles/agent-role policies=agent-policy ``` 5. I tried to issue a consul token: ``` vault read consul/creds/agent-role ``` **Actual behavior** I got an error: ``` / # vault read consul/creds/agent-role Error reading consul/creds/agent-role: Error making API request. URL: GET https://169.254.1.1:8200/v1/consul/creds/agent-role Code: 500. Errors: * 1 error occurred: * tls: failed to find any PEM data in certificate input ``` **Expected behavior** I get a consul token or more detailed description of the cause of the error (what I need to change to fix the error) **Environment:** * Vault Server Version: 1.8.4 * Vault CLI Version: 1.8.4 * Server Operating System/Architecture: Docker (host is Ubuntu 20.04.3 LTS) Vault server configuration file(s): ```hcl storage "file" { path = "/vault/data" } listener "tcp" { address = "169.254.1.1:8200" tls_disable = "false" tls_cert_file = "vault/config/dc1-vault-tls.crt" tls_key_file = "vault/config/dc1-vault-tls-key.key" tls_client_ca_file = "vault/config/vault-ca.crt" tls_require_and_verify_client_cert = "true" } api_addr = "https://169.254.1.1:8200" cluster_addr = "https://169.254.1.1:8201" log_level = "Trace" log_format = "json" ui = "true" disable_clustering = "true" ``` **Additional context** - I have attached my consul certs to this ticket and I can connect to my consul server using them. [certs.zip](https://github.com/hashicorp/vault/files/7463810/certs.zip) - I also tried to use different formats of the path to certificates, but it didn't work ca_cert='/vault/config/consul-ca.crt' \ ca_cert=@/vault/config/consul-ca.crt \