Using acme.sh with HCV: permission denied

Moin,

I followed the instructions “Enable ACME with PKI secrets engine” [1] in my own namespace myns.
Vault version is 1.15 enterprise.

Everything seems to be okay:

Key Value


allow_role_ext_key_usage false
allowed_issuers []
allowed_roles [
]
default_directory_policy sign-verbatim
dns_resolver n/a
eab_policy not-required
enabled true

Now I want test my new setup using acme.sh - but I am lost, because acme.sh won’t proceed:

/usr/local/bin/acme.sh --insecure --issue --standalone -d webserver999.example.org --server https://hcv620.example.org:8200/v1/myns/pki_int/acme/directory

[Wed Jul 10 17:40:10 CEST 2024] Using CA: https://hcv620.example.org:8200/v1/myns/pki_int/acme/directory
[Wed Jul 10 17:40:10 CEST 2024] Standalone mode.
[Wed Jul 10 17:40:10 CEST 2024] Registering account: https://hcv620.example.org:8200/v1/myns/pki_int/acme/directory
[Wed Jul 10 17:40:11 CEST 2024] Could not get nonce, let’s try again.
[Wed Jul 10 17:40:14 CEST 2024] Could not get nonce, let’s try again.

{“time”:“2024-07-10T15:40:10.820269837Z”,“type”:“response”,“auth”:{“token_type”:“default”},“request”:{“id”:“efeb8581-8fd5-c2e0-dbb2-9909829cb2c6”,“operation”:“header”,“namespace”:{“id”:“root”},“path”:“pki_int/acme/new-nonce”,“remote_address”:“10.40.109.13”,“remote_port”:22307},“response”:{“data”:{“error”:“hmac-sha256:d3fd1c883969c0c53f34edaa37a6cd4bb7ba9cf3f78f16149c835e5deaf1d829”}},“error”:“1 error occurred:\n\t* permission denied\n\n”}
{“time”:“2024-07-10T15:40:10.991367615Z”,“type”:“request”,“auth”:{“policy_results”:{“allowed”:true},“token_type”:“default”},“request”:{“id”:“cd4d2b6a-51da-b78c-bd65-8433cf23c934”,“operation”:“header”,“mount_point”:“myns/pki_int/”,“mount_type”:“pki”,“mount_running_version”:“v1.15.2+builtin.vault”,“mount_class”:“secret”,“namespace”:{“id”:“kgIuR”,“path”:“myns/”},“path”:“pki_int/acme/directory”,“remote_address”:“10.40.109.32”,“remote_port”:49688}}
{“time”:“2024-07-10T15:40:10.991540925Z”,“type”:“response”,“auth”:{“policy_results”:{“allowed”:true},“token_type”:“default”},“request”:{“id”:“cd4d2b6a-51da-b78c-bd65-8433cf23c934”,“operation”:“header”,“mount_point”:“myns/pki_int/”,“mount_type”:“pki”,“mount_accessor”:“pki_85f94f04”,“mount_running_version”:“v1.15.2+builtin.vault”,“mount_class”:“secret”,“namespace”:{“id”:“kgIuR”,“path”:“myns/”},“path”:“pki_int/acme/directory”,“remote_address”:“10.40.109.32”,“remote_port”:49688},“response”:{“mount_point”:“myns/pki_int/”,“mount_type”:“pki”,“mount_accessor”:“pki_85f94f04”,“mount_running_plugin_version”:“v1.15.2+builtin.vault”,“mount_class”:“secret”},“error”:“unsupported operation”}
{“time”:“2024-07-10T15:40:11.166788055Z”,“type”:“request”,“auth”:{“token_type”:“default”},“request”:{“id”:“ee64e046-fd7d-0fdd-6f54-fa51cb14df3a”,“operation”:“header”,“namespace”:{“id”:“root”},“path”:“pki_int/acme/new-nonce”,“remote_address”:“10.40.109.13”,“remote_port”:39589},“error”:“permission denied”}
{“time”:“2024-07-10T15:40:11.166949431Z”,“type”:“response”,“auth”:{“token_type”:“default”},“request”:{“id”:“ee64e046-fd7d-0fdd-6f54-fa51cb14df3a”,“operation”:“header”,“namespace”:{“id”:“root”},“path”:“pki_int/acme/new-nonce”,“remote_address”:“10.40.109.13”,“remote_port”:39589},“response”:{“data”:{“error”:“hmac-sha256:d3fd1c883969c0c53f34edaa37a6cd4bb7ba9cf3f78f16149c835e5deaf1d829”}},“error”:“1 error occurred:\n\t* permission denied\n\n”}
{“time”:“2024-07-10T15:40:14.352772316Z”,“type”:“request”,“auth”:{“token_type”:“default”},“request”:{“id”:“4c968e94-7764-601a-4db2-919be9da5d8a”,“operation”:“header”,“namespace”:{“id”:“root”},“path”:“pki_int/acme/new-nonce”,“remote_address”:“10.40.109.13”,“remote_port”:41326},“error”:“permission denied”}
In the logfile I see:
{“time”:“2024-07-10T15:24:33.530820696Z”,“type”:“response”,“auth”:{“token_type”:“default”},“request”:{“id”:“87be1d61-f84f-cd01-cf1b-6b395f1916ad”,“operation”:“read”,“namespace”:{“id”:“root”},“path”:“pki_int/acme/directory”,“remote_address”:“10.40.109.32”,“remote_port”:49416},“response”:{“data”:{“error”:“hmac-sha256:d3fd1c883969c0c53f34edaa37a6cd4bb7ba9cf3f78f16149c835e5deaf1d829”}},“error”:“1 error occurred:\n\t* permission denied\n\n”}

Any hint? I guess i did something wrong with the namespace? Just putting the namspace in the URL (https://hcv620.example.org:8200/v1/**myns**/pki_int/acme/directory) was’nt as clever as I thought?

Any hint?

[1] https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-acme-caddy

Just to confirm:

You are referring to GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol ?

If yes, is the terminal session you are working authenticated to vault? For example have you set VAULT_ADDR, VAULT_NAMESPACE=myns, and VAULT_TOKEN such that you can interact with Vault using the CLI?