Vault CLI TLS x509 IP SAN errors

transonic · January 12, 2021, 2:50am

I have configured vault using the following https listener

# HTTPS listener
listener "tcp" {
  address       = "192.168.1.xxx:8200"
  tls_cert_file = "/path/tls/tls.crt"
  tls_key_file  = "/path/tls/tls.key"
}

api_addr = "https://192.168.1.xxx:8200"
cluster_addr = "https://192.168.1.xxx:8201"

The UI at that address works properly, however after setting the env:
export VAULT_ADDR="https://192.168.1.xxx:8200"

And attempting to login: vault login <token>

I get the following error
Error authenticating: error looking up token: Get "https://192.168.1.xxx:8200/v1/auth/token/lookup-self": x509: cannot validate certificate for 192.168.1.xxx because it doesn't contain any IP SANs

I assume this error is for the cert in tls/tls.crt created automatically when vault installed. I tried generating a new cert for it via the vault pki engine, giving it the IP SAN for the server its running on, however in that case, I get a self-signed certificate error.

How do I resolve this issue?

transonic · January 12, 2021, 12:51pm

Looking into this a bit more, I am assuming everything is working as designed.
I need to replace the vault certificate with one generated with the correct IP SAN, and then accommodate the self-signed error by trusting the cert in the OS or obtaining a verified one.

This was pretty helpful https://github.com/hashicorp/vault/issues/438