Vault curl tls connection required

ad-software · May 22, 2020, 8:54am

Hello,
I have configured nginx for the port forwarding to 443.

nginx:
location / {
proxy_pass http://127.0.0.1:8200/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

/etc/vault/hostname.hcl
listener “tcp” {
address = “0.0.0.0:8200”
cluster_address = “10.13.2.6:8201”
tls_disable = “true”
}

The web gui works fine and also something like this
/usr/local/bin/vault status -address=https://demucvm1-vault-test1.interhyp-infralinuxdmz.de

But I want to test to get read secrets via certificate authentication.

curl --request POST -v --cert /etc/puppetlabs/puppet/ssl/certs/demucvm1-vault-test1.interhyp-infralinuxdmz.de.pem --key /etc/puppetlabs/puppet/ssl/private_keys/demucvm1-vault-test1.interhyp-infralinuxdmz.de.pem https://demucvm1-vault-test1.interhyp-infralinuxdmz.de:443/v1/auth/cert/login

About to connect() to demucvm1-vault-test1.interhyp-infralinuxdmz.de port 443 (#0)
Trying 10.13.2.6…
Connected to demucvm1-vault-test1.interhyp-infralinuxdmz.de (10.13.2.6) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Server certificate:

  subject: O=Interhyp AG,L=Muenchen,ST=Bayern,C=DE

```
  start date: Apr 06 06:57:04 2020 GMT
```

  expire date: Apr 05 06:57:04 2025 GMT

```
  common name: (nil)
```

  issuer: CN=InterhypIssuingCA1,DC=interhyp-intern,DC=de

POST /v1/auth/cert/login HTTP/1.1
User-Agent: curl/7.29.0
Host: demucvm1-vault-test1.interhyp-infralinuxdmz.de
Accept: /

< HTTP/1.1 400 Bad Request
< Server: nginx
< Date: Fri, 22 May 2020 08:40:56 GMT
< Content-Type: application/json
< Content-Length: 39
< Connection: keep-alive
< Cache-Control: no-store
<
{“errors”:[“tls connection required”]}

Connection #0 to host demucvm1-vault-test1.interhyp-infralinuxdmz.de left intact

vault read auth/cert/certs/puppetserver -address=https://demucvm1-vault-test1.interhyp-infralinuxdmz.de
…
-----END CERTIFICATE-----
display_name puppet
required_extensions
token_bound_cidrs
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [system_kv]
token_ttl 1h
token_type default

Can somebody please help me?

Andreas

Topic		Replies	Views
How do I connect to Vault in Docker running with -dev-tls? Vault	2	643	June 14, 2023
Vault Ingress sends HTTP request to HTTPS server Vault k8s	1	2981	August 7, 2022
Vault fails to unseal with Ngnix as reverse proxy Vault nginx	3	2609	April 20, 2021
Questions about installing Vault Vault	2	505	July 25, 2022
Vault UI access from a bastion host Vault	9	1850	February 27, 2021

Vault curl tls connection required

Related topics