Running Vault behind AWS load balancer with TLS Authentication

We have successfully deployed vault as a container in AWS. It sits behind a Network Load balancer that has a TLS listener with a Amazon issued certificate.

The Vault has PKI configured (root and intermediate CA) and has issued a certificate to both the vault instance and a key pair to the client.

The AWS Target doesn’t care about the “untrusted” certificate on the Vault instance (though the logs show the expected TLS handshake error). we got around the container health check TLS handshake errors by installing openssl on the vault image and using openssl s_client as the health check instead of netcat.

The configuration works splendidly, except attempting to implement Certificate based authentication. I am wondering if the TLS listener on the NLB is stripping the certificate in the header, because I am getting the very unhelpful 400 error.

vault login -method=cert -client-cert=vault-cert-certificate.pem -client-key=vault-cert-private-key.pem name=vault-cert

Error authenticating: Error making API request.

Code: 400. Errors:

* client certificate must be supplied

Is there any way to get certificate based authentication to work with a TLS enabled AWS NLB in front of it?

Just a word of caution on that config – your logs are going to be much harder to use to diagnose an issue as the remote_host is going to be the NLB. What we did is change the NLB to pass thru and left the certs on Vault. They’re still self-signed certs, but we deploy out the CA certs to all the clients and servers. You can use letsencrypt if you’re okay with a free version or use Vault as the CA.

That also, “may” fix your client cert issue. I have not implemented this myself and I know there are issues, from other users but have also heard when it works it’s a great auth solution.

1 Like


That did the trick. We were hoping to be able to offload TLS at the NLB, but that didn’t work.

Set up the internal CAs (root and intermediate), issued certs to Vault and to clients, trusted the CA Chain and it worked.

Thank you!