How to pass multiple CA certificates to ssl_pem_contents ?

hashicorp / vault-ruby

The official Ruby client for HashiCorp's Vault

Mozilla Public License 2.0

342 stars 137 forks source link

How to pass multiple CA certificates to ssl_pem_contents ? #273

Open hunter86bg opened 2 years ago

hunter86bg commented 2 years ago

I am trying to pass multiple CA certificates to ssl_pem_contents as I never know which CA will sign the vault's certificate. Yet, I receive:

FATAL: OpenSSL::PKey::RSAError: read_vault[Read secret at secret/my-app] (secret::create_secret line 38) had an error: OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error

How can I make this one work?

require 'vault'
cert_content = ""
Dir.glob(['/etc/ssl/certs/*.crt','/etc/ssl/certs/*.pem','/etc/chef/trusted_certs/*']).each do |cert|
  cert_content += ::File.open(cert).read
end

Vault.configure do |config|
  config.ssl_pem_contents = cert_content
end

hunter86bg commented 2 years ago

So far my workaround (should work on RHEL/SLES) is:

require 'tempfile'
temp_cert_file = Tempfile.new('csv', '/etc/chef/')
Dir.glob(['/etc/ssl/certs/*.crt', '/etc/ssl/certs/*.pem', '/etc/chef/trusted_certs/*']).each do |ca_cert|
  IO.copy_stream(ca_cert, temp_cert_file)
end
ENV['SSL_CERT_FILE'] = temp_cert_file.path
require 'vault'

jackivanov commented 1 year ago

Vault.ssl_ca_cert = '/etc/ssl/certs/ca-certificates.crt'

ssl_ca_cert seems to be working fine with multiple certs

hunter86bg commented 1 year ago

@jackivanov, in Chef you can have multiple files in a directory. Is there a way to point to a directory instead of a file ?

jackivanov commented 1 year ago

@hunter86bg yes, there's ssl_ca_path

https://github.com/hashicorp/vault-ruby/blob/9ebb47e0c39c49e2fb867c94bbfd7a1d9821bbb7/lib/vault/configurable.rb#L24