Vault Certificate Store Documentation

[nkissebe]

Documentation inside fabio.properties for certificate stores needs to be updated or removed and replaced with a link to https://github.com/fabiolb/fabio/wiki/Certificate-Stores

In particular the documentation in fabio.properties for the vault certificate store doesn't document how the certificate should be stored in vault. I spent many hours trying to put them in vault in a fashion similar to the 'path' store as that was the best I could infer from the file. All I needed to see was

"vault write secret/fabio/certs/www.domain.com cert=@cert.pem key=@key.pem"

And I would have figured it out. For some reason I didn't hit the wiki page when browsing for help (came up after a google search). Also the wiki page is inconsistent in the example putting "cert" or "certs" in the vault path.

[magiconair]

Thanks for pointing that out. I’ll update the wiki. FWIW, vault can be used in two modes: as encrypted KV store and as an on-demand CA.

[fsuste]

@magiconair is there any documentation on configuring Fabio to use Vault PKI interface?

[pschultz]

@Narayanan170, it's documented in fabio.properties.

# Vault PKI
#
# The Vault PKI certificate store uses HashiCorp Vault's PKI backend to issue
# certificates on-demand.
#
# The 'cert' option provides a PKI backend path for issuing certificates. The
# 'clientca' option works in the same way as for the generic Vault source.
#
# The 'refresh' option determines how long before the expiration date
# certificates are re-issued. Values smaller than one hour are silently changed
# to one hour, which is also the default.
#
#   cs=<name>;type=vault-pki;cert=pki/issue/example-dot-com;refresh=24h;clientca=secret/fabio/client-certs
#
# This source will issue server certificates on-demand using the PKI backend
# and re-issue them 24 hours before they expire. The CA for client
# authentication is expected to be stored at secret/fabio/client-certs.

[fsuste]

Thank you! Didn't really dig in the properties file.