Vault cert auth

Hi,

We have configured our vault server with TLS listener and enabled Cert auth for clients. When clients try to login they are getting “client certificate must be supplied”

~# vault login -method=cert -client-cert=client1-cert-certificate.pem -client-key=client1-cert-private-key.pem
Error authenticating: Error making API request.

URL: PUT https://vault:8200/v1/auth/cert/login
Code: 400. Errors:

* client certificate must be supplied

Below is the vault configuration

istener "tcp" {
  address         = "0.0.0.0:8200"
  tls_cert_file   = "/etc/vault.d/ssl/vault_chained.crt"
  tls_key_file    = "/etc/vault.d/ssl/vault.key"
  tls_min_version = "tls12"
}


storage "dynamodb" {
  ha_enabled = "true"
  region     = "xxxx"
  table      = "xxxxx"
}

seal "awskms" {
  region     = "xxxxx"
  kms_key_id = "xxxxxx"
}

telemetry {
  dogstatsd_addr = "127.0.0.1:8125"
}

cluster_name = "qa1"
api_addr = "https://vault:8200"

Vault version in the environment

# vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.9.2
Storage Type             dynamodb
Cluster Name             qa1
Cluster ID               xxxxxx
HA Enabled               true
HA Cluster               https://vault:8201
HA Mode                  active
Active Since             2022-04-01T18:39:57.749594878Z

On what scenario client can get this error?

Regards,
Aravind M D

I don’t have this setup, but I think you have to provide the role name when logging in (name=) – even if you only have one. Also note that ca-cert maybe required as that’s the TLS Listener CA cert, and not the CA that issued the certificate.

NOTE The -ca-cert value used here is for the Vault TLS Listener CA certificate, not the CA that issued the client authentication certificate. This can be omitted if the CA used to issue the Vault server certificate is trusted by the local system executing this command.

The top Google search result for this message is Can't authenticate with Certificate method - client certificate must be supplied which looks relevant.

Thanks @maxb and @aram . The issue seems to be related to the usage of ALB in front of the vault cluster which prevents the client certificates to reach to backend.

Ah okay, you’re terminating the SSL which is against best practice for Vault. You should pass the SSL from ALB to Vault – that’ll fix your issue as well as allow you to see the actual client IPs in your audit log which is invaluable for debugging and issue tracking.