Vault hashi_vault ansible

Hi,

When enabling Vault tls_require_and_verify_client to true in vault, i just cant seem to connect to vault using:

"{{ lookup('community.hashi_vault.hashi_vault', 'secret=cred/data/test:test url={{ vault_url }} token={{vault_token}} validate_certs=True cacert=/etc/ansible/ca.pem' )}}"

Cannot seem to find how to pass the client pub and pvt key, tried multiple parameters ie: cert_auth_public_key: & cert_auth_private_key: on pem format but nothing worked, the error i get:

(Caused by SSLError(SSLError(1, ‘[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)’))). HTTPSConnectionPool(host=‘’, port=8200): Max retries exceeded with url: /v1/secret=cred/data/test (Caused by SSLError(SSLError(1, ‘[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)’)))"}

When require from vault is turn off tls it starts working.

Something like this should work:

"{{ lookup('community.hashi_vault.hashi_vault', 'secret=cred/data/test:test url={{ vault_url }} token={{vault_token}} validate_certs=True cacert=/etc/ansible/ca.pem cert_auth_private_key=/etc/ansible/cert.key cert_auth_public_key=/etc/ansible/cert.crt' )}}"

Double check that the certificate and key you provide are correct.

You can validate them with openssl:

openssl x509 -noout -text -in /etc/ansible/cert.crt
openssl rsa -noout -text -in /etc/ansible/cert.key

Also check if they belong to each other with:

openssl x509 -noout -modulus -in /etc/ansible/cert.crt | openssl md5
openssl rsa -noout -modulus -in /etc/ansible/cert.key | openssl md5

The output should be the same md5 hash.

If you enable tls_require_and_verify_client, make sure the certificate validates against a CA on your system, else Vault will not accept your certificate. See: TCP - Listeners - Configuration | Vault | HashiCorp Developer

Thanks Marknl for your reply, tried the above already still giving error:

Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)')))"}.

The certs are valid, been using vault tls for quiet some time, connect to UI, curl, cli, powershell invoke web and so on all works, cant find the right parameters when using with hashi.

Is the certificate you use a “client” certificate?

openssl x509 -noout -text -in /etc/ansible/cert.crt

Then in the X509v3 extensions part of the output, there should be a subsection called X509v3 Key Usage:, this should contain TLS Web Client Authentication. If not, it’s not a client certificate and Vault won’t accept it and you should create one that has.

Not working:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical



Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.hashi_vault'. Error was a <class 'requests.exceptions.SSLError'>, original message: 
HTTPSConnectionPool(host='vault', port=8200): Max retries exceeded with url: /v1/ (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)'))). HTTPSConnectionPool(host='vault', port=8200): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2635)')))"}

You should test the connection using the exact same client certificate and key files, with your choice of client programs such as:

  • curl
  • wget
  • openssl s_client

or multiple of these options, in order to gather additional information, and report what you tried, and the results.

In particular, using openssl s_client can surface lots of interesting details about the SSL handshake.

Forgot to mention it here. The certs are valid, because they are used to access the UI, curl, powershell invoke and so on.

If i set in vault tls_require_and_verify_client_cert = “false” i just present this - validate_certs=True cacert=/etc/ansible/ca.pem no need for the other parameters and works without any issue.

I think the issue is with hashi plugin, i already asked 5 days ago, no answer so far that corrects the above.