Vault serve crl with http


is it possible to have tls enabled but serve crl with plain http ?

I’m using vault pki engine as certificate authority for my kubernetes clusters and also the vault tls certificate is signed by the vault ca.

The service is exposed by a loadbalancer type service on port 8200 with tls enabled.

because the vault tls certificate is signed by the same ca I’d like to distribute the crl with plain http. but once I do that i get the error message:
Client sent an HTTP request to an HTTPS server.

I’m thinking about creating a nginx pod that is service the crl, or creating an ingress that is only allowing the crl path with plain http. But are there any better options ?


Did you ever figure this out?

Vault CLI offers -tls-skip-verify parameter or via the VAULT_SKIP_VERIFY env var.
If you use curl you can use the --insecure flag.

If you load your CA cert into the systems that you’re deploying to, which ultimately is what you need to do with a self-hosted-CA, then they won’t complain about the https. That’s how I have my homelab vault CA setup, all OS builds have the CA cert added as a trusted cert during the build/deployment.