Using ACM with Vault TLS

Curious if anyone has succeeded in getting HA Vault Server backed by Consul using AWS Certificate Manager.

The issue I am running into is that you cannot download an ACM certificate’s keys, and if you enable TLS in the vault server config it requires that the certs and keys be on the host in this config block:

# /etc/vault/server.hcl
...
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable   = 0
  tls_cert_file = "/etc/ssl/certs/${fqdn}.crt"
  tls_key_file  = "/etc/ssl/certs/${fqdn}.key"
}
...

We would like to use ACM to generate the cert for the HTTPS load balancer that we are putting in front of our vault servers, but it seems that vault requires the load balancer certificate be the same cert that is loaded on the host, which we cannot do with ACM.

Has anyone worked this out? We would much prefer to not use a self signed cert for HTTPS and have to install that on everyone’s laptops.

Thanks!

If you are using an ALB in front of Vault it can be configured to use an ACM certificate. The connection between the ALB and Vault can then be protected using whatever TLS certificate you like (e.g. self-signed) as the ALB doesn’t check the backend certificate chain.

If you are talking about using a NLB in front of Vault you would need to use a different certificate as ACM cannot be used outside of a limited number of AWS resources (which doesn’t include downloading certificates to EC2, ECS or EKS instances).

Thanks! This is an inherited module and it is still using a classic ELB. I’ll try switching over to an ALB and see if we can get it functional. Thanks for your help!