X509 certificate onboarding in vault with vault agent

kallmekunal · March 16, 2021, 10:40am

Following below link:

On my local i was able to integrate it with the target pod and able achieve the purpose of secret fetch from vault agent from vault server.

On Production when vault is trying to do login viea the agent init-container i am getting below error:
error authenticating: error=“Put “https://domainname:32523/v1/auth/kubernetes/login”: x509: certificate signed by unknown authority”.

Please suggest what to do in this regard.
Probably agent needs some truststore chain onboarding.
But it will be a great help if anybody can suggest how to do that or any other solution.
Not an expert in this matter.
VAULT_SKIPVERIFY is the quickfix i am using but probably that is not a good way.

dehuszar · April 6, 2021, 1:43am

9 times out of 10 that means you don’t have your ca installed in the offending host machine. If you copy or symlink whatever ca you’re issuing certs from into (on Ubuntu anyway) /usr/local/share/ca-certificates/ (once or twice I’ve had to create a [...]/local/sub-folder and put the ca in there) and then run sudo update-ca-certificates.

You should see some output that a new ca was installed. Then restart your session and it should start to work. Non-Ubuntu steps will be slightly different, but the same basic gist of it should be the same.

Topic		Replies	Views
Passing a CA certificate to injected vault-agent and vault-agent-init containers? Vault	5	5967	June 30, 2020
HCP Vault Secret with Vault Secret Operator failed to verify certificate HCP Vault Secrets	4	396	December 30, 2023
Alternative to using vault.hashicorp.com/ca-cert with agent injector? Vault k8s	0	259	February 23, 2023
Error with https login url with vault auto-auth agent Vault k8s , vault	1	657	February 26, 2021
Connect vault kubernetes agent to external vault over HTTPS Vault	0	194	August 24, 2023

X509 certificate onboarding in vault with vault agent

Related topics