search

hashicorp / docker-vault

Official Docker images for Vault
Mozilla Public License 2.0
500 stars 223 forks source link

Vault TLS Certificate authentication method #301

Open MorganReid opened 1 year ago

MorganReid commented 1 year ago

Recently,I am learning about the authentication related knowledge of vault,and I plan to use the TLS Certificate Auth Method (API), but I have encountered some problems in the process of practice. I have 4 self-generated certificates locally, clientCA.pem, serverCA.pem, client.pem and server.pem (cn is test.example.com). Here are the steps involved in the certificate.

1: My config.hcl file is as follows

listener "tcp" {
  address = "[::]:8200"
  tls_cert_file = "/certs/server.pem"
  tls_key_file  = "/certs/server.key"
  tls_disable = false
}

2: Create CA Certificate Role

    curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --cacert clientCA.pem \
    --data '{"display_name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/certs/test-ca

3: Login with TLS Certificate Method

    curl \
    --request POST \
    --cacert serverCA.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"

When executing the second step, an error will be reported,

curl: (60) SSL certificate problem: unable to get local issuer certificate

Then I log in via rootToken and operate on the Web interface. Created a test-ca role, the imported Certificate is clientCA.pem. When executing the third cloth, an error is reported curl:(60) SSL certificate problem: unable to get local issuer certificate When I replace the serverCA.pem in the original command with server.pem, the error

{"errors":["invalid certificate or no client certificate supplied"]}

curl \
    --request POST \
    --cacert server.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"

When I went to the interface to change the Certificate of test-ca from clientCA.pem to client.pem, the modified curl was executed successfully.

curl \
    --request POST \
    --cacert server.pem \
    --cert client.pem \
    --key clientkey.pem \
    --data '{"name": "test-ca"}' \
    https://test.example.com:8200/v1/auth/cert/login|jq -r ".data".

Now I feel that I don't know the relationship between these certificates, and I have consulted a lot of documents, but I still do not understand it so far. I hope you can help me and provide me with a solution.