Seeking Assistance with TLS Connection Error in HashiCorp Vault

Vault
, ,
1

Hello HashiCorp Vault community,

I hope everyone is doing well. I am currently facing an issue when attempting to connect with HashiCorp Vault, and I am seeking the help and guidance of the community to resolve it. Here are the details of the problem I am experiencing:

Error when trying to connect:

"Get "https://vault-svcs-test.atlax360.com:8200/v1/sys/internal/ui/mounts/secret": tls: failed to verify certificate: x509: certificate signed by unknown authority"

Configuration Details:

  • A certificate is installed, and the pods show that it is correctly mounted with the following values in the listener:
...
    tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
    tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
...
}
  • Additionally, the environment variable VAULT_CACERT is set as:
VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca

Error in the injector logs:

"[ERROR] handler: http: TLS handshake error from 192.168.0.24:56804: remote error: tls: bad certificate"

Contents of the secrets:

  1. vault.ca (Intermediate CA Certificate and Root CA Certificate)
-----BEGIN CERTIFICATE-----
MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZ
//Intermediate CA Certificate
JCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TAN
// Root CA Certificate)
BgkqhkiG9w0BAQsFADBhMrY=
-----END CERTIFICATE-----
  1. vault.crt (Domain Name Certificate)
-----BEGIN CERTIFICATE-----
MIIH7zCCBtegAwIBAgIQBWHPMHTwOKQ2CpeBxy
// Domain Name Certificate
RAGHDSz/iKsRIofmCMFiirdS1Q==
-----END CERTIFICATE-----

At this point, I believe the issue could be in the configuration of the data within the secrets. If anyone has any ideas or suggestions on how to address this problem, I would greatly appreciate it.

Thank you in advance for any help you can provide!

Best regards,
Jesus Contreras

2

Hello Jesus,

it think it stems from your certificates. Did you create the certificates by yourself, or did you create them with a Certificate Authority (CA) ?

Best regards Lukas

3

Hello Lukas,

We’ve received the certificate from a CA. I obtained the root and intermediate certificates through the one they sent us.

The process I followed to extract the certificates once the PFX file was received:

For the main certificate:

openssl pkcs12 -in file.pfx -out certificate.crt -clcerts -nokeys

For the root and intermediate certificates:

openssl pkcs12 -in file.pfx -nodes -nokeys -cacerts -out cacertificate.pem

Thanks in advance for your help!

4

Where did you obtain your certificate?

Can you connect via the CLI using the TLS skip verify option? To do this, set the following in your environment variable:

export VAULT_SKIP_VERIFY=true

You might also consider trying a certificate from a different CA.

5

The certificate has been obtained through DigiCert Company.

If I set the specified variable, it works without any issues, but I would prefer not to skip the TLS verification.

It used to work fine before; the error has occurred after updating the certificate. I’ve conducted tests by setting up Vault from scratch and using other certificates, but it doesn’t recognize the CA in any of the trials. All company certificates are requested through DigiCert, so using a different CA is not an option.

Thank you!

6

I guess you updated your certificates due to a domain change. Did you follow the same procedure for creating these new certificates as you did with the previous ones? My last guess would be to check for the certificate chain order. Sometimes, if the certificates are not arranged correctly — typically with the server certificate first, followed by the intermediate and then the root certificate — it can lead to errors in verification. Ensuring the correct order might resolve the issue.

7

Yes, I have followed the same procedure throughout, but something has changed, and I can’t seem to pinpoint it.

Currently, the order of the certificate chain is as follows:

CA.crt

  1. Intermediate CA Certificate
  2. Root CA Certificate

Vault.crt

  1. Domain Certificate only.

Is this the correct order?

Thanks in advance.

8

The order seems correct to me. I’m not sure where else the error could be coming from.