In the documentation of raft configuration there is below example
I don’t understand few things
-
Cluster is on 8201 but leader_api_addr is on 8200
-
What is leader_ca_cert_file and how it is related to tls_cert_file in listener configuration (https://www.vaultproject.io/docs/configuration/listener/tcp#tls_cert_file)
-
In below example there are different CA for every node - is it really possible? Are they used for TLS connection? How are they verified?
Generally I am looking for information how these certificates are used by vault
storage “raft” {
path = “/Users/foo/raft/”
node_id = “node1”
retry_join {
leader_api_addr = “http://127.0.0.2:8200”
leader_ca_cert_file = “/path/to/ca1”
leader_client_cert_file = “/path/to/client/cert1”
leader_client_key_file = “/path/to/client/key1”
}
retry_join {
leader_api_addr = “http://127.0.0.3:8200”
leader_ca_cert_file = “/path/to/ca2”
leader_client_cert_file = “/path/to/client/cert2”
leader_client_key_file = “/path/to/client/key2”
}
retry_join {
leader_api_addr = “http://127.0.0.4:8200”
leader_ca_cert_file = “/path/to/ca3”
leader_client_cert_file = “/path/to/client/cert3”
leader_client_key_file = “/path/to/client/key3”
}
}
1 Like
I’ve come across the same issue and I didn’t understand what was happening, but I think I’m much closer now to understanding it. The documentation is unfortunately terribly confusing, but if you do read the definition of each directive, it starts to make sense. You just have to pay very close attention. The configuration example is, in my opinion, really misleading, because it uses loopback addresses and I think this is plain wrong (I’m probably missing something), because the node shouldn’t connect to itself, but, of course, to the other nodes.
So the point is leader_api_addr refers to the node address. So you add a node per each retry_join stanza.
Then leader_ca_file, leader_client_cert_file and leader_client_key_file can point to the exact same certificates/key, so the exact same path. I don’t see any advantage to presenting unique certificates for each node - that would mean you’d have a total of 6 client certificates (and maybe another 6 CA, if you were to follow their example ad literam). I don’t see how this can significantly add to security given the unnecessary added complexity
So basically that’s it. After adapting the configuration, I’m not getting any certificate errors (unknown certificate authority and so on).
It’s also worth mentioning that http instead of https seems to be a mistake in this context.
1 Like
In the documentation the reason why they used the loopback IPs (different ones) was that several vault instances were started on different loopback IPs. So that’s what I was missing when I wrote the last comment.