Vault startup fails while I use my certificate

Vault
1

Hello, I am learning HashiCorp Vault. I went through the docs and now I am installing the product. I am following this doc.

I have a private CA and I generated a server cert signed by my private CA for my test host where Vault will run: vault.hello.com. I would like to use this self signed certificate behind of the HashiCorp Vault.

This is my config file that I use:

$ cat $VAULT_CONFIG_FILE

/*
 * Vault configuration. See: https://www.vaultproject.io/docs/configuration
 */

storage "file" {
        path = "/opt/vault/data"
}

listener "tcp" {
  address            = "0.0.0.0:8200"
  tls_cert_file      = "/tmp/vault.hello.com.pem"
  tls_key_file       = "/tmp/vault.hello.com.key"
  tls_client_ca_file = "/tmp/ca.pem"
}

cluster_addr  = "https://0.0.0.0:8201"
api_addr      = "https://0.0.0.0:8200"
disable_mlock = true
ui            = true

I am trying to start Vault with this command in the foreground:

$ echo $VAULT_CONFIG_FILE
/etc/vault.hcl

$ vault server -config=$VAULT_CONFIG_FILE

But I get the following error:

Error parsing listener configuration.
Error initializing listener of type tcp: error loading TLS cert: tls: failed to parse private key
2023-07-23T15:32:00.070Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-07-23T15:32:00.070Z [INFO]  core: Initializing version history cache for core

This is how the ca.pem looks like:

ca-pem
ca-pem601×526 47.4 KB

Andthis is the server cert:

server-pem
server-pem645×553 29.6 KB

The private key is this one:

cat /tmp/vault.hello.com.key 

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBEzBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIyVQQPFDGOhoCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECAmDutQj7UwIBIHAz8eCEQvX3NQg
ctMvK0Gq5tV9wfQXK4rWOsG/0NVdsO3Dkic9y8gjCubVCxoywBO0mgOB6REarWXk
cB12PPLpkA0/8JUliYqgeBNh6XD+T5Jf0uEmpt7+95KpQt7bdC1W21lYMHqQCtW/
ZDeAXORnYlAEQ/Y7uFxLJ/tgaG1U27O3Pd0JGkHvCMH2xzEWoGfjiClCt73MY+Rg
RE0z89bKKj6PSNxN2qWUhE3/UJbegy3DSPLBT8PHAS4cDeatGkyy
-----END ENCRYPTED PRIVATE KEY-----

I also tried to start Vault this way, but I got the same error:

echo "changeit" | vault server -config=$VAULT_CONFIG_FILE

Error parsing listener configuration.
Error initializing listener of type tcp: error loading TLS cert: tls: failed to parse private key
2023-07-23T15:47:33.983Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-07-23T15:47:33.990Z [INFO]  core: Initializing version history cache for core

Could you please guide me to the right direction and help me to configure Vault properly in order to I can use my existing certificate? Thanks in advance.

2

Vault has said there is a problem with the key:

You have not said anything about the format of the key file.

You have implied it may be encrypted with a passphrase:

I have no idea whether Vault supports that. I suspect it might not.

3

Thanks for the response.

I checked again this doc and the key file.

It seems that my keyfile is in a wrong format:

pk

I am going to change it and let you know the result.

4

You saved ma day.

I had to convert the keyfile to PEM this way:

openssl pkcs8 \
   -in "$KEYSTORE_HOME/$FQDN.key" \
   -passin pass:changeit \
   -out "$KEYSTORE_HOME/$FQDN.key.pem"
   -outform PEM

Now it works like a charm:

vault server -config=$VAULT_CONFIG_FILE
==> Vault server configuration:

             Api Address: https://0.0.0.0:8200
                     Cgo: disabled
         Cluster Address: https://0.0.0.0:8201
   Environment Variables: CHARSET, GODEBUG, HOME, IMAGE_AUTHOR, IMAGE_DESCRIPTION, IMAGE_NAME, IMAGE_TAG, KEYSTORE_HOME, LANG, LC_COLLATE, LOGNAME, MAIL, PAGER, PATH, PKI_HOST, PWD, SHELL, SHLVL, SSH_CLIENT, SSH_CONNECTION, SSH_PASSWORD, SSH_TTY, SSH_USER, TERM, UP_SIGNAL_PORT, USER, VAULT_CONFIG_FILE, _
              Go Version: go1.19.9
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: file
                 Version: Vault v1.11.10, built 2023-05-08T23:41:37Z
             Version Sha: AlpineLinux

==> Vault server started! Log data will stream in below:

2023-07-23T17:29:39.901Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-07-23T17:29:39.901Z [INFO]  core: Initializing version history cache for core