Vault integration with Nomad - Workload identities, JWT, and custom CA

davidtek · April 23, 2025, 2:39pm

Hello,

I was following this tutorial:

and found myself stuck at this line:

vault write auth/jwt-nomad/config '@vault-auth-method-jwt-nomad.json'

Where vault-auth-method-jwt-nomad.json contains the following:

{
  "jwks_url": "https://192.168.250.2:4646/.well-known/jwks.json",
  "jwt_supported_algs": ["RS256", "EdDSA"],
  "default_role": "nomad-workloads"
}

My HashiStack is using MTLS, the above command failed because it didn’t accept the Nomad server certificate and didn’t offer up a valid client certificate either.

I disabled MTLS completely on Nomad and reran the above command and Vault accepted it(it was able to fetch the data from the Nomad server), however running Nomad without MTLS isn’t a thing I want to do.

I looked through the documentation and was unable to find a way to set this.

listener “tcp” {

This stanza has reference to certs, but only for the TCP listener.

service_registration “consul” {

This stanza has reference to certs, but only for interacting with Consul.

This page’s deprecation warning seems to imply that the certificates need to be configured in the jwt secrets engine, but I see no reference to TLS anywhere else in the page.

I tried using an AI to answer this question and it just hallucinated fields that don’t exist in jwt or the Vault configuration.

How do I tell the jwt engine to recognize a custom CA?
How do i provide the jwt engine with a client cert to authenticate?

Thanks,

David

jonathanfrappier · April 23, 2025, 3:30pm

Asking some people internally, but have you tried jwks_ca_pem?

davidtek · April 24, 2025, 12:59pm

That looks right. I will try that today, thank you!

David

pdfruth · May 9, 2025, 1:10pm

I am having exactly this same problem.
Did you have to leave Nomad’s mTLS turned off?
Or, were you able to figure out how to configure Vault to supply a client certificate? If so, how?

EDIT: For others who may be coming here, after encountering the same challenge… After doing some further research on this, I found a couple of related Git issues;

github.com/hashicorp/vault

Workload Identity forces disabling of mutual TLS client verification, contradicting Nomad’s own best practices

opened 04:35PM - 28 Jan 25 UTC

lattwood

tls

**Describe the bug** When using Nomad Workload Identity (JWT-based) to integrate… with Vault, Nomad’s documentation states: > “It is highly recommended to use mutual TLS in production deployments of Nomad. With mTLS enabled, the `tls.verify_https_client` configuration must be set to false since it is not possible to provide client certificates to the Vault auth method.” This effectively disables Nomad’s mutual TLS client verification for Vault calls. Requiring tls.verify_https_client = false directly conflicts with the general recommendation to use mTLS in production. This omission forces operators to choose between best-practice security (mTLS everywhere) and enabling JWT-based workload identity. In other words, we are asked to run our cluster in a way that is not aligned with the very security best practices Nomad prescribes. **To Reproduce** 1. Configure Nomad for JWT-based Workload Identity. 2. Enable mutual TLS across the Nomad cluster. 3. Attempt to use `tls.verify_https_client = true` for Vault calls. 4. Observe that JWT authentication to Vault fails because you cannot provide client certificates on the Vault JWT auth method. **Expected behavior** We expect full mTLS support during JWT authentication to Vault. Ideally, Vault’s JWT auth method (or Nomad’s usage of it) should be able to present a client certificate to Nomad, such that we can keep `tls.verify_https_client = true` while still using workload identities. **Environment:** * Vault Server Version (retrieve with `vault status`): a version supporting jwt/oidc * Vault CLI Version (retrieve with `vault version`): a version supporting jwt/oidc * Server Operating System/Architecture: Linux of some kind Vault server configuration file(s): ```hcl jwt_validation_pubkeys = [...] jwks_ca_pem = "..." ``` Nomad service configuration file(s): ```hcl tls { http = true rpc = true verify_server_hostname = true verify_https_client = true # Fails with JWT-based workload identity } ``` **Additional context** The docs explicitly state to disable `tls.verify_https_client`, despite also saying mTLS is recommended. **_Security Impact_** Disabling client verification undermines the otherwise strong security model that mTLS provides. With client certificate authentication disabled, we rely solely on token-based authentication without the additional layer of cryptographic identity verification at the TLS layer. **_Request_** Please add official support for presenting client certificates through the Vault JWT auth method, or provide an alternative approach that does not require disabling `tls.verify_https_client`. This feature would align Nomad Workload Identity with the recommended production security posture. Or, don't deprecate Vault Token authentication until Workload Identity is at feature parity while adhering to best practices. (Nomad docs say vault token authentication goes away in 1.10, and latest tag is 1.9.5) I couldn't find an open issue after some quick searching, so I opened this. edit: Opened hashicorp/nomad#24970 to push out the deprecation again, or until this feature exists

github.com/hashicorp/nomad

Push out deprecation of `Authentication Without Workload Identity` to 1.11 or further

opened 04:55PM - 28 Jan 25 UTC

closed 07:55PM - 31 Jan 25 UTC

lattwood

theme/tls theme/workload-identity

### Proposal Push out deprecation of `Authentication Without Workload Identity` …to 1.11, and/or until hashicorp/vault#29435 is addressed. Edit: there is precedent, it was originally scheduled for deprecation in 1.9 but it was pushed out. ### Use-cases I want to run my cluster in adherence with Hashicorp best practices, which necessitates the use of mutual TLS authentication, while also having Vault fetch required metadata from Nomad using said mutual TLS process. ### Attempted Solutions The alternatives presented require some Rube Goldberg-esque machinations that on a long enough timeline would fail and break JWT/OIDC trust between Nomad and vault.

Based on that, it seems the way to move forward with this (at least for the moment) is to set tls.verify_https_client=false in the Nomad server config.

will · May 12, 2025, 2:23am

I changed to tls.verify_https:client = false and still can’t get it working:

vault \
    write auth/jwt-nomad/config \
    jwks_url=https://server.global.nomad:4646/.well-known/jwks.json \
    bound_issuer=nomad \
    default_role=nomad-workload \
    disable_bound_issuer_validation=true \
    disable_jwks_validation=true
Error writing data to auth/jwt-nomad/config: Error making API request.

URL: PUT https://vault.dev.premis.app:8200/v1/auth/jwt-nomad/config
Code: 400. Errors:

* error checking jwks URL https://server.global.nomad:4646/.well-known/jwks.json

I have been using mTLS clients as well and it’s not something I wanted to give up, but I tried the JWT implementation to get clients able to access vault secrets, but I keep getting 400 errors. In the vault server log I see:

2025-05-12T02:01:31.790Z [ERROR] auth.jwt.auth_jwt_9da9937f: error checking jwks URL: url=https://server.global.nomad:4646/.well-known/jwks.json error="fetching keys oidc: get keys failed Get \"https://server.global.nomad:4646/.well-known/jwks.json\": remote error: tls: certificate require

and in the nomad server log I see these errors:

    2025-05-12T02:10:15.213Z [TRACE] http: http: TLS handshake error from 172.21.0.20:38076: tls: client didn't provide a certificate

I’m also using a custom/private vault CA for my client certs. Any idea what I could do to to get past this?

pdfruth · May 12, 2025, 1:18pm

@will It appears your Nomad server still has mTLS enabled.
The tls section of the Nomad server configuration must set verify_https_client = false
For example;

..
....

tls {
  http = true
  rpc  = true

  ca_file   = "/etc/nomad.d/tls/nomad-agent-ca.pem"
  cert_file = "/etc/nomad.d/tls/global-server-nomad.pem"
  key_file  = "/etc/nomad.d/tls/global-server-nomad-key.pem"

  verify_server_hostname = true
  verify_https_client = false
}

....
..

Dont forget to restart the Nomad server(s) after you change the config

Topic		Replies	Views
How to use mTLS with Nomad workload identities and Vault Vault vault , nomad	1	59	January 12, 2025
Error checking jwks_ca_pem Vault	1	680	December 28, 2023
Vault Nomad Secret Backend - TLS from Vault PKI Nomad	2	308	May 24, 2022
Nomad 1.0 integration with Vault Nomad vault	1	469	December 21, 2020
Best way to trust self signed CA for all nomad jobs Nomad	2	474	July 12, 2021

Vault integration with Nomad - Workload identities, JWT, and custom CA

Related topics