We have successfully deployed vault as a container in AWS. It sits behind a Network Load balancer that has a TLS listener with a Amazon issued certificate.
The Vault has PKI configured (root and intermediate CA) and has issued a certificate to both the vault instance and a key pair to the client.
The AWS Target doesn’t care about the “untrusted” certificate on the Vault instance (though the logs show the expected TLS handshake error). we got around the container health check TLS handshake errors by installing openssl on the vault image and using openssl s_client as the health check instead of netcat.
The configuration works splendidly, except attempting to implement Certificate based authentication. I am wondering if the TLS listener on the NLB is stripping the certificate in the header, because I am getting the very unhelpful 400 error.
vault login -method=cert -client-cert=vault-cert-certificate.pem -client-key=vault-cert-private-key.pem name=vault-cert
Error authenticating: Error making API request.
URL: PUT https://ourvault.ourdomain.com:8200/v1/auth/cert/login
Code: 400. Errors:
* client certificate must be supplied
Is there any way to get certificate based authentication to work with a TLS enabled AWS NLB in front of it?