Open nkissebe opened 6 years ago
Thanks for pointing that out. I’ll update the wiki. FWIW, vault can be used in two modes: as encrypted KV store and as an on-demand CA.
@magiconair is there any documentation on configuring Fabio to use Vault PKI interface?
@Narayanan170, it's documented in fabio.properties.
# Vault PKI
#
# The Vault PKI certificate store uses HashiCorp Vault's PKI backend to issue
# certificates on-demand.
#
# The 'cert' option provides a PKI backend path for issuing certificates. The
# 'clientca' option works in the same way as for the generic Vault source.
#
# The 'refresh' option determines how long before the expiration date
# certificates are re-issued. Values smaller than one hour are silently changed
# to one hour, which is also the default.
#
# cs=<name>;type=vault-pki;cert=pki/issue/example-dot-com;refresh=24h;clientca=secret/fabio/client-certs
#
# This source will issue server certificates on-demand using the PKI backend
# and re-issue them 24 hours before they expire. The CA for client
# authentication is expected to be stored at secret/fabio/client-certs.
Thank you! Didn't really dig in the properties file.
Documentation inside fabio.properties for certificate stores needs to be updated or removed and replaced with a link to https://github.com/fabiolb/fabio/wiki/Certificate-Stores
In particular the documentation in fabio.properties for the vault certificate store doesn't document how the certificate should be stored in vault. I spent many hours trying to put them in vault in a fashion similar to the 'path' store as that was the best I could infer from the file. All I needed to see was
"vault write secret/fabio/certs/www.domain.com cert=@cert.pem key=@key.pem"
And I would have figured it out. For some reason I didn't hit the wiki page when browsing for help (came up after a google search). Also the wiki page is inconsistent in the example putting "cert" or "certs" in the vault path.