I am using various combination for command, such as:
vault status -ca-cert=/tmp/CA_of_server -client-cert=/tmp/cert.pem -client-key=/tmp/key.pem
where /tmp/CA_of_server is the CA of server, client-cert and client-key is the vault status command uses. Any suggestion for what is my problem and how to debug?
More information:
For the server listener “tcp”, I have configured this way:
{
…
tls_cert_file = “/usr/files/server-cert.pem”
tls_key_file = “/usr/files/server-key.pem”
tls_client_ca_file = “/usr/files/truststore.pem”
tls_require_and_verify_client_cert = 1
…
}
Where the “tls_client_ca_file” is a PEM file which have multiple CAs concatenated. I think this is to check the client certificate, sicne different clients can have different CAs, so I put all supported CAs inside.
Here if I set the “tls_require_and_verify_client_cert = 0”, e.g, not verify client cert, everything works fine.
On the “vault status” command, I am running command from same pod, and using this:
vault status -client-cert=/usr/files/server-cert.pem -client-key=/usr/files/server-key.pem -ca-cert=/tmp/single_CA_signed_server_cert.pem
FYI, for testing purpose, now the vault status command uses the same cert/key as the server is using, and the “ca_cert” is the ICA who signed the server-cert.pem. I think things matching up properly, but I always get “remote error: tls: bad certificate” error.
You can also use the environmental variables in the command line. Or load them in .bashrc for instance. It becomes easier, as you won’t have to type them for each command: