TLS error in plugin registration

I get the following error when enabling a plugin. I appreciate help:

plugin tls init: error=“error during token unwrap request: Put x509: certificate is valid for, not” timestamp=2022-09-23T11:53:44.843Z

  config: |
    plugin_directory = "/usr/local/libexec/vault"
    ui = true
    listener "tcp" {
      address = "[::]:8200"
      cluster_address = "[::]:8201"
      tls_disable = false
      tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
      tls_key_file  = "/vault/userconfig/vault-server-tls/tls.key"
    # Advertise the non-loopback interface
    api_addr = "[::]:8200"
    cluster_addr = "[::]:8201"
    storage "file" {
      path = "/vault/data"

This is indeed a fairly complex one to understand, unless you’ve read a couple of specific areas in the Vault source code!

Somewhat surprisingly, when Vault starts up a plugin, the initial negotiation of the communications channel between Vault and the plugin, requires the plugin to make an HTTP request to the api_addr of the Vault server!

This is what is failing here.

You have set the api_addr in the configuration to the all-zeros address. Vault has responded to this by updating it to a specific IP address for the host, since the all-zeros address cannot be directly connected to.

The TLS certificate you are using does not contain an IP address Subject Alternative Name for this IP address, so when the plugin comes to attempt to make this request, the TLS negotiation fails.

To remedy this, you could:

  1. Arrange for your TLS certificate to contain an appropriate IP SAN.
  2. Change your api_addr to include a hostname, and include that hostname in your TLS certificate.