Unsupported path error via CLI, UI works

datadude816 · May 5, 2021, 4:00pm

I am running cert auth have it set up an functioning via the UI. Trying to work with it via the CLI and am running into errors

vault 1.6.2

I am running into path issues on the CLI but I can create certificate

The I enabled cert auth method on the gui at cert/certs/test0

so the CLI path should be auth/cert/certs/test0

but I am receiving the error below trying to create a cert object/item.

$ vault write auth/cert/certs/test0/test displayname=test1 policy=test certificate=@machine.pem
Error writing data to auth/cert/certs/test0/test: Error making API request.

URL: PUT https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/test
Code: 404. Errors:

* 1 error occurred:
	* unsupported path

an that is a zero in the path and not an captial O

fhemberger · May 5, 2021, 4:18pm

Not sure if the path depth is supposed to work at all, seems the name of the certificate in the UI is test0/test, which fails as an API path.

See:

$ vault write auth/cert/certs/web \
    display_name=web \
    policies=web,prod \
    certificate=@web-cert.pem \
    ttl=3600

and the corresponding REST API method:

Method	Path
POST	/auth/cert/certs/:name

 curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --cacert vault-ca.pem \
    --data @payload.json
    https://127.0.0.1:8200/v1/auth/cert/certs/test-ca

datadude816 · May 5, 2021, 4:35pm

I have just figured that out. There is no documentation explaining that.

The UI will allow you to create that path and you can use that path via the API but the CLI seems to limit it.

There seems to be a disconnect somewhere in what should be possible with paths with cert auth.

A flat structure doesn’t allow for any organization or RBAC based on that organization.

Seems limited.

datadude816 · May 5, 2021, 4:46pm

Here is the example of the UI

datadude816 · May 5, 2021, 7:57pm

So an auth path on a vault server which is cert/certs/test0 or cert/development

For the CLI translates to:

auth/cert/certs/test0/certs/
and
auth/cert/development/certs/

For the API to use said cert is:

CERT_PATH="/v1/auth/cert/certs/test0/login"
and
CERT_PATH="/v1/auth/cert/development/login"

So the CLI is expecting a “/certs/” at the end of the displayed vault server path for reasons I can’t find explained…

Topic		Replies	Views
Only cli breaks if vault validates client certs Vault	3	197	April 12, 2023
Unsupported path error when creating namespace in HashiCorp Vault	3	3079	August 6, 2021
Vault User Interface working but there are command line errors Vault	1	828	August 9, 2022
Vault agent auth error vs success with CLI and API using cert auth Vault	0	366	February 2, 2021
Vault Token works in CLI but not web GUI Vault	2	663	April 7, 2021

Unsupported path error via CLI, UI works

Related topics