Hello,
I was following this tutorial:
and found myself stuck at this line:
vault write auth/jwt-nomad/config '@vault-auth-method-jwt-nomad.json'
Where vault-auth-method-jwt-nomad.json contains the following:
{
"jwks_url": "https://192.168.250.2:4646/.well-known/jwks.json",
"jwt_supported_algs": ["RS256", "EdDSA"],
"default_role": "nomad-workloads"
}
My HashiStack is using MTLS, the above command failed because it didn’t accept the Nomad server certificate and didn’t offer up a valid client certificate either.
I disabled MTLS completely on Nomad and reran the above command and Vault accepted it(it was able to fetch the data from the Nomad server), however running Nomad without MTLS isn’t a thing I want to do.
I looked through the documentation and was unable to find a way to set this.
listener “tcp” {
This stanza has reference to certs, but only for the TCP listener.
service_registration “consul” {
This stanza has reference to certs, but only for interacting with Consul.
This page’s deprecation warning seems to imply that the certificates need to be configured in the jwt secrets engine, but I see no reference to TLS anywhere else in the page.
I tried using an AI to answer this question and it just hallucinated fields that don’t exist in jwt or the Vault configuration.
How do I tell the jwt engine to recognize a custom CA?
How do i provide the jwt engine with a client cert to authenticate?
Thanks,
David