Cannot seem to find how to pass the client pub and pvt key, tried multiple parameters ie: cert_auth_public_key: & cert_auth_private_key: on pem format but nothing worked, the error i get:
(Caused by SSLError(SSLError(1, ‘[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)’))). HTTPSConnectionPool(host=‘’, port=8200): Max retries exceeded with url: /v1/secret=cred/data/test (Caused by SSLError(SSLError(1, ‘[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)’)))"}
When require from vault is turn off tls it starts working.
Thanks Marknl for your reply, tried the above already still giving error:
Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)')))"}.
The certs are valid, been using vault tls for quiet some time, connect to UI, curl, cli, powershell invoke web and so on all works, cant find the right parameters when using with hashi.
Then in the X509v3 extensions part of the output, there should be a subsection called X509v3 Key Usage:, this should contain TLS Web Client Authentication. If not, it’s not a client certificate and Vault won’t accept it and you should create one that has.
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.hashi_vault'. Error was a <class 'requests.exceptions.SSLError'>, original message:
HTTPSConnectionPool(host='vault', port=8200): Max retries exceeded with url: /v1/ (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)'))). HTTPSConnectionPool(host='vault', port=8200): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)')))"}
Forgot to mention it here. The certs are valid, because they are used to access the UI, curl, powershell invoke and so on.
If i set in vault tls_require_and_verify_client_cert = “false” i just present this - validate_certs=True cacert=/etc/ansible/ca.pem no need for the other parameters and works without any issue.
I think the issue is with hashi plugin, i already asked 5 days ago, no answer so far that corrects the above.