Unsupported path error via CLI, UI works

I am running cert auth have it set up an functioning via the UI. Trying to work with it via the CLI and am running into errors

vault 1.6.2

I am running into path issues on the CLI but I can create certificate

The I enabled cert auth method on the gui at cert/certs/test0

so the CLI path should be auth/cert/certs/test0

but I am receiving the error below trying to create a cert object/item.

$ vault write auth/cert/certs/test0/test displayname=test1 policy=test certificate=@machine.pem
Error writing data to auth/cert/certs/test0/test: Error making API request.

URL: PUT https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/test
Code: 404. Errors:

* 1 error occurred:
	* unsupported path

an that is a zero in the path and not an captial O

Not sure if the path depth is supposed to work at all, seems the name of the certificate in the UI is test0/test, which fails as an API path.

See:

$ vault write auth/cert/certs/web \
    display_name=web \
    policies=web,prod \
    certificate=@web-cert.pem \
    ttl=3600

and the corresponding REST API method:

Method	Path
POST	/auth/cert/certs/:name
 curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --cacert vault-ca.pem \
    --data @payload.json
    https://127.0.0.1:8200/v1/auth/cert/certs/test-ca

I have just figured that out. There is no documentation explaining that.

The UI will allow you to create that path and you can use that path via the API but the CLI seems to limit it.

There seems to be a disconnect somewhere in what should be possible with paths with cert auth.

A flat structure doesn’t allow for any organization or RBAC based on that organization.

Seems limited.

Here is the example of the UI

So an auth path on a vault server which is cert/certs/test0 or cert/development

For the CLI translates to:

auth/cert/certs/test0/certs/
and
auth/cert/development/certs/

For the API to use said cert is:

CERT_PATH="/v1/auth/cert/certs/test0/login"
and
CERT_PATH="/v1/auth/cert/development/login"

So the CLI is expecting a “/certs/” at the end of the displayed vault server path for reasons I can’t find explained…