ansible-community / ansible-vault

:key: Ansible role for Hashicorp Vault
BSD 2-Clause "Simplified" License
364 stars 194 forks source link

"unknown or unsupported field tls_prefer_server_cipher_suites found in configuration" #297

Closed boldandbusted closed 2 years ago

boldandbusted commented 2 years ago

Just upgraded to Vault 1.10.3 Enterprise. I read this message in the Vault log:

2022-06-03T16:11:53.387-0400 [WARN] unknown or unsupported field tls_prefer_server_cipher_suites found in configuration at /etc/vault.d:20:3

It's just a warning, and Vault is still functioning as we intend. Happy to provide more info. Thanks!

kartuhn commented 2 years ago

Hey @boldandbusted I have a question on enabling TLS. I am running a file boostrap, enabling PKI and using that certificate for enable TLS which is going pretty unsuccessfully. Would you please mind sharing the steps I need to take in enabling TLS using this role? Thanks in advance.

in0rdr commented 2 years ago

@kartuhn not sure if your question is still worth answering, but it might help anyone finding that issue here.

You basically enable TLS on the Vault API by setting some basic group variables for your Ansible playbook. For example, with a TLS certificate from the playbook directory:

# TLS for Vault API
vault_tls_disable: no # disabled (1) by default
vault_tls_src_files: '{{ playbook_dir }}/files/tls'
vault_tls_cert_file: 'vault.crt'
vault_tls_key_file: 'vault.key'
vault_tls_ca_file: 'vault_ca.crt'

I'm not sure if that is helpful though, since you mentioned the PKI secrets engine, which is a slightly different discussion (of course you can use the engine to configure TLS on your Vault API, I would not encourage to introduce that config though with the same Vault cluster due to the recursive/loop config).