Hello to all.
I want to enable tls_require_and_verify_client_cert = true, but found errors on pod’s
http: TLS handshake error from 127.0.0.1:45000: tls: client didn’t provide a certificate, and the I unseal Vault pods are not active
Vault was previously configured without using SSL
Environment:
Vault Server Version:
Vault 1.7.3
Storage type: Raft
HA Enabled: true
Vault CLI Version:
Vault v1.7.3 ([5d517c8](https://github.com/hashicorp/vault/commit/5d517c864c8f10385bf65627891bc7ef55f5e827))
Server Operating System Architecture^
Openshift 4.6
installed vault with helm
extraconfig-from-values.hcl
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 0
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_client_ca_file = "/vault/certs/server.ca.pem"
tls_cert_file = "/vault/certs/vault.crt"
tls_key_file = "/vault/certs/vault.key"
tls_require_and_verify_client_cert = true
}
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "[https://vault-0.vault-internal:8200](https://vault-0.vault-internal:8200/)"
leader_ca_cert_file = "/vault/certs/server.ca.pem"
leader_client_cert_file = "/vault/certs/vault.crt"
leader_client_key_file = "/vault/certs/vault.key"
}
retry_join {
leader_api_addr = "[https://vault-1.vault-internal:8200](https://vault-1.vault-internal:8200/)"
leader_ca_cert_file = "/vault/certs/server.ca.pem"
leader_client_cert_file = "/vault/certs/vault.crt"
leader_client_key_file = "/vault/certs/vault.key"
}
retry_join {
leader_api_addr = "[https://vault-2.vault-internal:8200](https://vault-2.vault-internal:8200/)"
leader_ca_cert_file = "/vault/certs/server.ca.pem"
leader_client_cert_file = "/vault/certs/vault.crt"
leader_client_key_file = "/vault/certs/vault.key"
}
retry_join {
leader_api_addr = "[https://vault-3.vault-internal:8200](https://vault-3.vault-internal:8200/)"
leader_ca_cert_file = "/vault/certs/server.ca.pem"
leader_client_cert_file = "/vault/certs/vault.crt"
leader_client_key_file = "/vault/certs/vault.key"
}
retry_join {
leader_api_addr = "[https://vault-4.vault-internal:8200](https://vault-4.vault-internal:8200/)"
leader_ca_cert_file = "/vault/certs/server.ca.pem"
leader_client_cert_file = "/vault/certs/vault.crt"
leader_client_key_file = "/vault/certs/vault.key"
}
}
service_registration "kubernetes" {}
Request
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault
DNS.2 = vault.hashicorp
DNS.3 = vault.hashicorp.svc
DNS.4 = vault.hashicorp.svc.cluster.local
DNS.5 = vault-0.vault-internal
DNS.6 = vault-1.vault-internal
DNS.7 = vault-2.vault-internal
DNS.8 = vault-3.vault-internal
DNS.9 = vault-4.vault-internal
DNS.10 = vault-5.vault-internal
DNS.11 = vault-6.vault-internal
DNS.12 = vault-0.vault-internal.svc
DNS.13 = vault-1.vault-internal.svc
DNS.14 = vault-2.vault-internal.svc
DNS.15 = vault-3.vault-internal.svc
DNS.16 = vault-4.vault-internal.svc
DNS.17 = vault-5.vault-internal.svc
DNS.18 = vault-6.vault-internal.svc
DNS.19 = vault-0.vault-internal.svc.cluster.local
DNS.20 = vault-1.vault-internal.svc.cluster.local
DNS.21 = vault-2.vault-internal.svc.cluster.local
DNS.22 = vault-3.vault-internal.svc.cluster.local
DNS.23 = vault-4.vault-internal.svc.cluster.local
DNS.24 = vault-5.vault-internal.svc.cluster.local
DNS.25 = vault-6.vault-internal.svc.cluster.local
DNS.26 = vault-0
DNS.27 = vault-1
DNS.28 = vault-2
DNS.29 = vault-3
DNS.30 = vault-4
DNS.31 = vault-5
DNS.32 = vault-6
DNS.33 = vault-agent-injector-svc
DNS.34 = vault-agent-injector-svc.hashicorp
DNS.35 = vault-agent-injector-svc.hashicorp.svc
DNS.36 = vault-agent-injector-svc.hashicorp.svc.cluster.local
IP.1 = 127.0.0.1
after I unseal Vault , view errors:
2021-10-11T05:51:36.483Z [INFO] http: TLS handshake error from 127.0.0.1:57490: tls: client didn't provide a certificate
2021-10-11T05:51:36.544Z [WARN] core.cluster-listener: no TLS config found for ALPN: ALPN=["req_fw_sb-act_v1"]
2021-10-11T05:51:37.547Z [WARN] core.cluster-listener: no TLS config found for ALPN: ALPN=["req_fw_sb-act_v1"]
2021-10-11T05:51:39.123Z [WARN] core.cluster-listener: no TLS config found for ALPN: ALPN=["req_fw_sb-act_v1"]
2021-10-11T05:51:41.514Z [INFO] http: TLS handshake error from 127.0.0.1:57592: tls: client didn't provide a certificate
2021-10-11T05:51:41.810Z [WARN] core.cluster-listener: no TLS config found for ALPN: ALPN=["req_fw_sb-act_v1"]
2021-10-11T05:51:46.498Z [INFO] http: TLS handshake error from 127.0.0.1:57700: tls: client didn't provide a certificate