tls_cert_file signed by intermediate CA gives "x509: certificate signed by unknown authority"

[koweblomke]

I have installed Vault Version 0.6.2 on Oracle Linux 7.3 and signed the vault cert (used in the vault listener tls_cert_file configuration) with an intermediate CA.

Both the root CA and the intermediate CA are trusted with "update-ca-trust extract" Vault starts normally but when we try to get the vault status I keep getting "x509: certificate signed by unknown authority"

with openssl I verified the certificate against the trusted ca's: $ openssl verify -verbose -CAfile /etc/pki/tls/certs/ca-bundle.crt /etc/vault/certs/vault.crt /etc/vault/certs/vault.crt: OK

That seems to be OK. Why does Vault return "x509: certificate signed by unknown authority" or do I need to pass a certificate chain somehow? Or is it even possible to use an intermediate CA vor signing the vault tls_cert_file?

[jefferai]

The location of trusted CAs differs from distro to distro, so I can't help much with Oracle Linux-specific items, but you can use the -ca-cert/-ca-path flags to specify the CA manually when using the Vault CLI.

[koweblomke]

Oracle Linux is a RedHat derivative. (https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux_derivatives)

But even with using the -ca-cert / -ca-path flags I keep getting this message. Is there any documentation about how to setup a Vault server using an intermediate CA for signing the Vault tls_cert_file?

[jefferai]

What's your config?

[koweblomke]

I am trying to run vault HA on two nodes with a three node etcd backend and a keepalived on each vault node wich switches a virtual IP.

backend "etcd" { address = "http://vault-etcd01:4001,http://vault-etcd02:4001,http://vault-etcd03:4001" redirect_addr = "https://vault-vip:8200" path = "vault" disable_mlock = 0 ha_enabled = 1 }

listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/etc/vault/certs/vault.crt" tls_key_file = "/etc/vault/certs/vault.key" }

All the nodes have trusted the root CA by default, I am not shure what to do with the intermediate CA. Do I need to explicitly trust the intermediate CA on the vault nodes, or can I give the vault server a cert chain somehow?

[jefferai]

You can give the chain in tls_cert_file:

tls_cert_file (required unless disabled) - The path to the certificate for TLS. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file. This is reloaded via SIGHUP.

The chain doesn't just have to be one CA cert, although if the root is trusted everywhere then you should only need the intermediate.

[koweblomke]

Thanks for pointing that out!! At first this didn't work as we received an asn1 error: "tls: failed to parse certificate from server: asn1: structure error: tags don't match"

I did some digging in our CA setup and it turned out that the keys of the CA and intermediate CA were encrypted with Elliptic curve cryptography in stead of RSA. In a local environment I created my own CA and intermediate CA based on RSA cryptology and everything works as documented. :-) I didn't expect that the CA key cryptology would have influence on this.

So I need to find out how to work around this, but it's not a Vault issue. Thanks for your support.

[jefferai]

EC keys should be totally fine. Were they PEM formatted?

[jefferai]

If you have those keys and don't mind sending them to me (jeff @ hashicorp com) I'll take a look.

[koweblomke]

my local environment certs and keys (wich gave me the ASN1 error):

this is a vault cert with RSA, a intermediate CA with EC and a root CA with RSA:

-----BEGIN CERTIFICATE----- MIIEnDCCA/2gAwIBAgICEAAwCgYIKoZIzj0EAwIwUjELMAkGA1UEBhMCTkwxEjAQ BgNVBAgMCUdyb25pbmdlbjESMBAGA1UEBwwJR3JvbmluZ2VuMQwwCgYDVQQKDANU S1AxDTALBgNVBAMMBGltY2EwHhcNMTcwMTExMTQ0MDM5WhcNMTkwMTExMTQ0MDM5 WjBdMQswCQYDVQQGEwJOTDESMBAGA1UECAwJR3JvbmluZ2VuMRIwEAYDVQQHDAlH cm9uaW5nZW4xJjAkBgNVBAMMHWFnZW50XzczLnJlbmUudGtwLmxvY2FsZG9tYWlu MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0GTFqcq6dupvavovaKss y7pjgIrvmHQcMhY6w/YJD4RsU0XQJWMDw6is4+n1wetwvFnfyhw8+ecFQ0i2XZnn ez5B5Q5pJZ0x9W7Uf+xwpqhFiMf/NltQhWEAzdNXokK60OeIM+VA6Lju4dF8hS0I +MwfAZO0sQ+He+GL7eL04h90TKE72tV2aZbdj13nIQjJmms2SwICYWBVMaeJFy+/ jT3vDIa5iTTUI5Cjub6VmqEM6BRgXrZ45zUDM/qSlDhzFdUP+d1IpaL2BoYPYjgy mWkL2Lt6wDqgzvvMefoCDs7AZKHKsnKdlCuFj617HNOvGfjIL+SsYWbaYLKcIfQ7 s0UtdGKarNbDQGImBVS2Ri/FHBwR9OSfjXbmSYXf2UAE0amYQTeEoWX/3/CjL4Z/ u7yLA+8RKfx8N0n2ZUgzE6tAUzdnQ9MvdCMbOok27Fr6/JNBbba7Rkcrz49VuaFp csGZSM8q4oCygw7TGFaVGIzHH4r7DrxziSvmCN5D3V4WaqggGbWyvKPKdfmqrivk 1GEt1VEuui9hPxVj3TYmqH5MGT62okR9KK7rWGQS4k8AQFGPZGs2t4DjjsxFPnZ/ I5wQixd3SE6ZjZFggRFniLooll+Wl4A6hBOiIFydHf3MLdfCpLJaZK7Q5AV3AcwU LtSohGaWXHkBuW1KIq8GK1ECAwEAAaOB7DCB6TAJBgNVHRMEAjAAMBEGCWCGSAGG +EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2Vy dmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR9PWbdROZCgjTldLx73MYoo5ZpujBQ BgNVHSMESTBHgBREB/d3MFJXekO1GNI7mdRjMo+H2aEspCowKDEmMCQGA1UEAwwd UHVwcGV0IENBOiBwdXBwZXQubG9jYWxkb21haW6CARkwDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAoGCCqGSM49BAMCA4GMADCBiAJCARTWveaA DULIAYlZtcxWDm27ILth0joo2U/+mZlmHjYeFCsAQDlwJEOc9jGfLYKcPW5Q22Fz nWjWyrdvVUoTxhh0AkIBcw9gBAbcsk0UaxOeW95wpJAjUKMQw91eTuDqGsAJgAZQ QzENhWjJ3gR9z/NRqsHyYGzCe1PCtAnYCYkbEx6hfOo= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFlTCCA32gAwIBAgIBGTANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw ZXQgQ0E6IHB1cHBldC5sb2NhbGRvbWFpbjAeFw0xNzAxMTExNDM4NDdaFw0xODAx MTExNDM4NDdaMFIxCzAJBgNVBAYTAk5MMRIwEAYDVQQIDAlHcm9uaW5nZW4xEjAQ BgNVBAcMCUdyb25pbmdlbjEMMAoGA1UECgwDVEtQMQ0wCwYDVQQDDARpbWNhMIIC XDCCAc8GByqGSM49AgEwggHCAgEBME0GByqGSM49AQECQgH///////////////// //////////////////////////////////////////////////////////////// /////zCBngRCAf////////////////////////////////////////////////// ///////////////////////////////////8BEFRlT65YY4cmh+SmiGgtoVA7qLa cluZsxXzuLSJkY7xCeFWGTlR7H6TexZSwL07sb8HNXPfiD0sNPHvRR/Ua1A/AAMV ANCeiAApHLhTlsxnFzkyhKqg2mS6BIGFBADGhY4GtwQE6c2ePstmI5W0QpxkgTkF P7Uh+CivYGtNPbqhS1537+dZKP4dwSei/6jeM0izwYVqQpv5fn4xwuW9ZgEYOSlq eJo7wARcil+0LH0b2Zj1RElXm0RoF6+9Fyc+ZiyX7nKZXvQmQMVQuQE/rQdhNTxw hqJywkCIvpR2n9FmUAJCAf////////////////////////////////////////// +lGGh4O/L5Zrf8wBSPcJpdA7tcm4iZxHrrtvtx6ROGQJAgEBA4GGAAQAcq2rKZG4 WZwXbs6HP/hX0IOkJwYYCqwMFdVRJg0q8F8ADHRNC+SRvJ+j7I3As9veOBN6jemP QaXgq2YITHZIMHAA8DEAStI1ldf4/07FHatPKvjsI1+3ZpKvSTRkrVDEfk3PhhSx 0XCb+xP6xICTk1cL2wghOq9oIdy/gXs5N7pVPPmjZjBkMB0GA1UdDgQWBBREB/d3 MFJXekO1GNI7mdRjMo+H2TAfBgNVHSMEGDAWgBSqIDA2sQAvnM0SPEbVKI4BTMjn 6zASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQsFAAOCAgEAB/l3YCEew1pypXuHO3keFLsw7Gb2Dse8GIau+MJJ5Xi6iDOv/jqL XUZB4/rjHZjFmA00WrjrCWtepeUl0e3g17KygIXZ8XQq69rGoThJPylNzgMwiPNK Y/I7Y0KGsD8hW9+uxg+Y9wtPZJ9QroPNAyUAF60rd2G1JCYx8drHU9batNuXooNC Ru0LABOFKaLyOTq08G7EWo4pXT/hCbnP9as1hjJmoGtFdfUdLTGKSzZ98z+ovofk ot5QwAT6ZcFGpc0yGWyFGu9PgPP28eEzJJ95KkmiENPHH/+j5bI7cgerm2bup1fM HwpwOTuLgQ63mZDQ1nEU9SQpmxqOHr32ra4tF7neAjNsAWO3WD2+9ycZJN7oWBxt pGZH7+kiKSejMeo1B5lRE/XcMmfZYitw+v0SOzTRgkiw4tcgx122reRPZK1TfJaG m/KQtKASsW8DCozulAEJw9xIN73NOcymWEYsjTP5HfB2XtqzxqNtzV41TYsPHfUK xZOvalT8P/XivdtbEP2luNN1m3f6hkknZXH9oScsSlIsfylxrNUKazZRrvk4/xtK EB1mc5wi+x6ChDeW8dWLI2d1OiMpA/n6oNPmWx4M8SD0sypiFE5WJq8AQLZxnWZz gSokWdXH7g9Lv+qy0FNA6PDQWa9lcwUtKyoTPpRmMfzB3xv7XnA0oQk= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFgjCCA2qgAwIBAgIBATANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw ZXQgQ0E6IHB1cHBldC5sb2NhbGRvbWFpbjAeFw0xNjEyMjYxNDUyMjFaFw0yMTEy MjYxNDUyMjFaMCgxJjAkBgNVBAMMHVB1cHBldCBDQTogcHVwcGV0LmxvY2FsZG9t YWluMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtbr2EFHaT9bM9nkv yJAI9OErDJybRVlBC/6D7E2p1swg6QE5pv8Ox3UaGPewmrGYbJjDkVWh1wRdqdaY 9ojBS0lndQGuWKAP9Vl6PyBmK3SiHzVuqiBL/rSzFzzD3cT5MtmJ0e6UjfV8Yvci lfYyc8e0FeXYgm0YUozlfc2P/FgwKHoCnfeGOeT/fSzT3t2lWJeViRqyHyCVGFvZ 4q63SvpOnVIT566UJBTYzx/963anC103h+7CbribMIlgAB7tulv/6StFMGOIwzQ2 FxGoxLHFOZYFNnovbhRoo3U4fm2UX0ml+Ie4qdQNPK4uD5+K2jsG0cgo3TYOqrc2 6kjKiJ2UAnGrklu4NCiTDVKb/CQVZIq0L7DMpTaa0iVlJMP8uvbArmd21njJVj91 Kh1/0rXNqzHjpc3YAVsMxdUTMk4t4WxBqk1WqBFQr71lDi2U2TKxgw9WDlCPwkV5 420UwjQVxvWxkhtXw89ntte/IiYhVwlLe1CdEDEDfMx1tFfN8ed10HBs3qesHKP5 jZofWzLYuoCEL+BTYID/Y/ugZBj7ZqhJZz/2GkRGvxhmNpAL1zNiYn0x+h5vkuPp qMwilVBGPnn7/9F8ws5H4XAViMTiwwAB669ZY5BN19DgJQd7Mo/xz/QYNlhbdCgW tm5gA1v7k7klsSVeDjShID3FwwMCAwEAAaOBtjCBszA1BglghkgBhvhCAQ0EKFB1 cHBldCBSdWJ5L09wZW5TU0wgSW50ZXJuYWwgQ2VydGlmaWNhdGUwDgYDVR0PAQH/ BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKogMDaxAC+czRI8RtUo jgFMyOfrMDoGA1UdIwQzMDGhLKQqMCgxJjAkBgNVBAMMHVB1cHBldCBDQTogcHVw cGV0LmxvY2FsZG9tYWluggEBMA0GCSqGSIb3DQEBCwUAA4ICAQAo335UBJk1yCiP S8ITNt+G10s2CYUTNfYqDZFfn2vQ+mFx4osNGwFcA7QghekTp1YZbgd4c2Nfi9HS 5SZyvsUi4NEbsJfMDTGeQn1E5sDTdN/tArWqR47DlYDzW4pbEdEa7aNWa19xpQHI yx0DPMysgsit8tASvMEL3RMsXmuyLje8yjZqwCnDNN3sLSrmksExf+X3QfkRqrzR wd6IYsHcrbxiGC8ZtYqw3E1lqdRdklSVOlQJqued8IC8spe8X+DvQfTcKO2qhIyB Yj2NBzczFdB0DEA+eDBxsrE7ouqAf8w/2XXNXza2tusfac47QvRluDkZmHVnCzKc cspEcThUbTbYrpvxUInP5Xer13jraSk5Xb3QE8xnSdiu/OVQzkK+eQBgOIo3eAvZ qbza9UD73/wUE95kDTlAvzPlEkg8a/J9iryZsOWGC4+XV87o4X2RqKOYBRhq31ml zCZj2Doy+v7Qs48TUn3H2ldQMWSrVQvwF/u3LgPGR/kezFeaWqlbQUg35K+V0C1p a/u8nldt5GECm3v03N15cS/yw+qHRJ62KTo0mczAQI0ftOBlPmZ+Aua583ZXMAxO FLEtx3KzLlhykWIY9Uw7hGxpGFsibLsGGrfIZ+0lLCwunLmUpJJ8mZq5YK+tJ8Oa SSjzSha/BRlxr0q93OsOmzh5Rin54g== -----END CERTIFICATE-----

the keys: Vault.key -----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDQZMWpyrp26m9q +i9oqyzLumOAiu+YdBwyFjrD9gkPhGxTRdAlYwPDqKzj6fXB63C8Wd/KHDz55wVD SLZdmed7PkHlDmklnTH1btR/7HCmqEWIx/82W1CFYQDN01eiQrrQ54gz5UDouO7h 0XyFLQj4zB8Bk7SxD4d74Yvt4vTiH3RMoTva1XZplt2PXechCMmaazZLAgJhYFUx p4kXL7+NPe8MhrmJNNQjkKO5vpWaoQzoFGBetnjnNQMz+pKUOHMV1Q/53UilovYG hg9iODKZaQvYu3rAOqDO+8x5+gIOzsBkocqycp2UK4WPrXsc068Z+Mgv5KxhZtpg spwh9DuzRS10Ypqs1sNAYiYFVLZGL8UcHBH05J+NduZJhd/ZQATRqZhBN4ShZf/f 8KMvhn+7vIsD7xEp/Hw3SfZlSDMTq0BTN2dD0y90Ixs6iTbsWvr8k0FttrtGRyvP j1W5oWlywZlIzyrigLKDDtMYVpUYjMcfivsOvHOJK+YI3kPdXhZqqCAZtbK8o8p1 +aquK+TUYS3VUS66L2E/FWPdNiaofkwZPraiRH0orutYZBLiTwBAUY9kaza3gOOO zEU+dn8jnBCLF3dITpmNkWCBEWeIuiiWX5aXgDqEE6IgXJ0d/cwt18KkslpkrtDk BXcBzBQu1KiEZpZceQG5bUoirwYrUQIDAQABAoICAEVBeD9ZVGa4upZ+1sqeOKDs LK1HfyDXVZd/s7/0QEab57Q0+1uxcErR/8MuubHcoPa3l5v/jnQuxpz5yUGKKFfY 9OU+yMrrVvMOBikNVtLMEW/Hp5VU+4mYF0BQAEu4iYVrrOQySEQPUbRSfmNz+AtX KubHQ8GkO458ApjoWCHd+jSNUOsFDflBXhiLSIi99uIOx1heLpRWA3ohB3phL/Os pYkwLPDgUbAQHZlZMTbWVwe53d0cH0oXYB0iJRyFNhoHWOvdEouZgNHiM7KcopRB SOKaS80ertqa6/WNlKl/JIlNC6QKWzwmyphZOxT1dLfY6g6gnHkySVjhgun11PDB gBr1XJ8sup32wINS3ENopsoduPoxLWygchBWsJ4c3NbPeBmq9fffkbfoE/VegRyP orOhrbt2i/syslSllSXyHCrUQOhdwO/cYVRNHNaZ80NoG/anlznK6AtN9lGHIgYO LIhsusodj4ezb5i2l7isVHmpnrBJLzCbXY0iyDDgI1c/zlOf3nG5AcIbvzbPizHr VAfHz2FLYvXnbrh1pDPly6eylG/UwngwNXgAjl0XMC3/gnAhejC3jOVokkVeZZV0 J7xwEH2Ci+dj/FPIsYjS9zQqVudTWsKPurPRakp177WT/omMTV2ikeno20/JCxX0 3hG1yQdqz1ajCd43BvEBAoIBAQDp3fXlrYLeKgdiCqQ2toZOBIRlxB1a8/PK9o1u tzWpkgmEQ2GQz1K1CZvh2TLxCTF3Ay0XzabDafDYDezxXvUBDNrpBfAqjzlZ/lls uuZujKvkN0BcRG3v0oXqYV7OIjA1M2bXM9CnILKmD4Ne+HQidydkqbSBhoAoFYrD 0axtlfFWQ+ebHfjWK0W5p86WSn9tNWmZrads/6FNJ+OCy6M1Umg43/QqxWGWf7pv 8q20ebMqfwgV77S5kavNTqjj8/7GLAZLgk0cfx/MNyjM3Y0IvYAqDT1KyUE+YlN+ feWXRDd+iYLlQ60q5Ke9xZr+ve/6GiLZDNPbratDd/X+DnGZAoIBAQDkHabzgTW1 iIAecy4c1BemNGgUTIbJYYeMc46qHklA2GLq52huPyu9lyjQirvQfEl5rfo9OXwe y9NFsgihj/PjrSKjh07g+3fL32wDgXr1q8uvGBu6TpVdrJ7QJI1BiQVU76enh9go WTFGBxg1hr3ZocDJpVjSOnLpOakeYTj5qteYmaDYyC5k4Izyd4k7NxyZQR4MhK41 GK4RhjbdGP4dfb2ky/qswXOogPWpM76fipStwi2Nt0IimvAMjfOkkBUQmeXi48FI p3PuNZ5bI1SL8lBZa55y6hGUEhs9xiCPmOTEpwlR05pRwy9ph6Tn0eiIm4/pd7Na iKYXAkG+Zop5AoIBAQCxFPiUqQVm47wjaJtfMmYPvSvjQtRXglEfZgFBzEg91e6O z9aYp+OgYV4/bQ89pBBoZWdHltinLxjHAARh39z0pp87wttP3pM2qXlc80h4fNvL OmrpcocsCOSNzJzUyN5n6jv8x6c+ZWvgge6fgtGtJzwU5MthKE7yCx2/mIxPjjHn eBNvSQqaYLmzEnVDJ7XFI6SKUQttZULmAUYsS7WRMozoQ+vGVx7FroGlMsSE24Hm s7mToqXdvYexNdZ8hMxtkfhSRJ/O7BNPtpSWS0v3SkY5kTzP3AQjEKDYLswh9e1v SwBqSQxeZjT9ZRsvuPJ1FkU8xJHGzYHY3ITPknBBAoIBAC+j/bUHPCdQfaleVrgQ l2vPsBjlLpUqODvd+mKO9q+DQY1bjNTRfpoW0qBTCQxumI3ABu34bnKkENiSaPkM 7luTUhOi85dLDWbXn2BQD1T1bxF/UHMlbE5m+bfwmkugiSuG7ZWwajVrAz5jxuuO 22FzRacXUCh/qnYI48gDd/m0c1hcZVpA3GeW+fi9fDyQsvlSvyrQHu3Z3KiuRhEA 4jlYhF3Bd/XSZQxA+o0+0EXTlF+BmS/qoPZHM3D7yHGK4ctYyMkM1dYNmsmaCxtv kn2zupIiRrIrLkalTWkmUrCKtuRXGjwrnCQNRn6cpJUBorW8/1478Ios1bsiboaM NckCggEBAOg59bd4YGnTlspMmLhXbwRFdUHCK5M1aniBKuczw7pM0t6biJT4IYZ3 m+yUXt0QNJtXeBEo3hZ3ZW0ZhFvL70RGJFlkyAfKjLxvPvrDA+TPf+3woo4K+HF+ 8T6gI2ozN23dlvMzSAfePVl6jBb0YkkSYUdkOHS/H/X1HO2rmd1SAUeBT7uD+XlO 7Sj0EcCEOgU8eD8H7hJrE2ayGYdoM7594BEQWCoKd27M1VyKap41X6WRSWq04QQO 7eLkMDaK29xzZl30RbGDPjR0hZ9TkPbaNGtRalgkpzF9Q44hzS2vQKe82BJLXcHX 0HEf7wEboR1CftXZhq8Sr6q3N08iH4E= -----END PRIVATE KEY-----

intermediate.key: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIDDzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQItlh9+RFBJ5sCAggA MB0GCWCGSAFlAwQBKgQQtzW4ZDMVopGTvCimHeOKyASCAsC/2bB084V9wLBcSWS1 rKfpD3678D/6mm7V1Z8bijJQjDZd0J8lGYFEF04eFwGTys7w30JcqwYCV/O+bWS4 HRMVJAOYl0pWjVUFFxE0Vbcx4SZ+6OdFv7qc1bPSDHEI0ji293a3q6rfp+4sgLsn P9LYNyrF8vBBhdX/2nMcmV88H4LbaUwiUM4SY6NabCSFSsyiRzAEYyf5nO1+JqKZ HVt1IvyqAZZjS21PoX8fGs0Ft8K1GRmEbWP5SzV6j4MjOMlPaK+OfREXoCLbrwiG 3WmyKVo8sCLIn0S3D/BndXrKF/f6gypjtZuiaM87vanx4QUuURjEV8AIr040MDCU WmiKy0xsjS8K6FT3ay1vwVNFbluKp8kb/AZp6JdA1Zu/wSRUR48vzcJbypmdebEt xHwboY32NCeCWHvziVfu6iMfxImuLUG1Cx2jEaXf1AFqLbSd1AgN7SFOV2yyhorS YtcUzMlOfauw4MSCURObI8iigqmWwptJV/JT5ZDM/MZGkEVbHstZLT0SR89Jm9Qk Q7AQGZsCIF3vweS+RVroKm2LERQwn/mnTib5q1ew4xObSjQXlrXg3Pk6gsD16oEz Rh3Jk6lAFFAmQVxNufgI95sIbns09rLM0nriPTxoYoSObtHUt6sWixAtqA/m6NRX O/lBELkaQN4tCnfXs2Sb7HOER+z3cIxXiL+LVqpPqJ9SQihr+kvMhjhXRmUI+apw 9p+gGRP/4MW/oqt0TX3azT0mDk86PCZxIxvt/qS1ITRzTAu2ij7iqQfjzGMDbFnp qgvTc3YKRvE64CWftULwnzepP7pMYqa/99h4r7E4Ux1RAU0w3ckqBUn2IGpp2O+P J+3WVrZN4vVWiirZxky0kfukK0QPEthdlmMICuTSslYEoFSbu+3JsxCf3/agwk+B Ct0JwrM+7vOoYhT/Pfq81AYULw== -----END ENCRYPTED PRIVATE KEY-----

root ca key: -----BEGIN RSA PRIVATE KEY----- MIIJKAIBAAKCAgEAtbr2EFHaT9bM9nkvyJAI9OErDJybRVlBC/6D7E2p1swg6QE5 pv8Ox3UaGPewmrGYbJjDkVWh1wRdqdaY9ojBS0lndQGuWKAP9Vl6PyBmK3SiHzVu qiBL/rSzFzzD3cT5MtmJ0e6UjfV8YvcilfYyc8e0FeXYgm0YUozlfc2P/FgwKHoC nfeGOeT/fSzT3t2lWJeViRqyHyCVGFvZ4q63SvpOnVIT566UJBTYzx/963anC103 h+7CbribMIlgAB7tulv/6StFMGOIwzQ2FxGoxLHFOZYFNnovbhRoo3U4fm2UX0ml +Ie4qdQNPK4uD5+K2jsG0cgo3TYOqrc26kjKiJ2UAnGrklu4NCiTDVKb/CQVZIq0 L7DMpTaa0iVlJMP8uvbArmd21njJVj91Kh1/0rXNqzHjpc3YAVsMxdUTMk4t4WxB qk1WqBFQr71lDi2U2TKxgw9WDlCPwkV5420UwjQVxvWxkhtXw89ntte/IiYhVwlL e1CdEDEDfMx1tFfN8ed10HBs3qesHKP5jZofWzLYuoCEL+BTYID/Y/ugZBj7ZqhJ Zz/2GkRGvxhmNpAL1zNiYn0x+h5vkuPpqMwilVBGPnn7/9F8ws5H4XAViMTiwwAB 669ZY5BN19DgJQd7Mo/xz/QYNlhbdCgWtm5gA1v7k7klsSVeDjShID3FwwMCAwEA AQKCAgEAhQpMHYJu2kgcYMwzSRb5F5zIEUGNAmXnEsrO9W2dypxB85JsDG9o+Ggo JOMfrQAa4FWtxnX0Nx8BGtb5wHI5X85rKOOEKWl0hV9t+UzUvzdxgHtzeqSOPfc3 rOlVUsNi0/EhzkhlBNAUsbbO4Q4NvWkT03wi1sjbJ4PydfjJUimVh+xagh61ayjU SWVJ7jxBUewXEvoyMEuAGwcTKbpSgVdhuhZecBwEY63HU0rOb1S70bv6bU9DlB8d rZjEaRI7Y1T6sk51JomXk6BjgNvyu5yRECldw5YLpwDV4eRs6VF7b47RLHLfo6ST 1DqHifR4iG7x/R4VnGx4rE3YrAeCDOjTB+/Lj8Ohc1I6p4M4ippCngL5eRArvy4n shJ2cneK0pyxWOlUxGUAk7eaLDUe55T7akagzcnNIBRiduBkXTXAm3lQiIcpjD5y cSYxCoFvQIvfXw6gLDXbBabTMaFXSuo4NZ7d8CK125eGceTjtiZEq6+D/uKBIdd1 YdDD+qCJfEE3tLKoGH2GgJdwC6x8AeBUNxkkzZwZ9voGScp4tXx2eVVQ6kTl8BuS QuJWHVnoj3A3V/M0xuoNuCKbUG8ywHN98iEkO4YsvrLguoQg1a2o/X3eBS/Ax8kJ 0ZjexeXvCx97Vk5Wt+1c+NikxeJewONp8Xtql15xXkwkD8QMfdECggEBAOlyPHOp /1xYqxQviX8Nq9J+xnmSGKEk2gbtutZsd7VRDde3sVnUIO/dnFy/OwvPSLa/E1zM YdttOxZOBs+RuAjxhchh7r7YOTGCJF7dMtH/8ne3rDPE89v4RfrPLUCdWPQOUlM7 41BybFjkNZcBND8bhDciut7k9fJeNtOK8Shw3yNoC7UUZ1z73la9Rolp44ihd7Ur +fR7vYCQC0akC//W+2WwEPUI7sYQAeIIdkw96x/et6LWUSikZCBXgMLgAU6FXV0O Doa5L8itFQ9d4K+9vUahNpBbq5R6XJR5B5CBjlPCE1BVBc1VFLxSP4rFE2yXJ3iT 5yvUxtacC3u33Z0CggEBAMdJpiIZm+Fu2BU4o1RZxJd7BPQetP3O60lsA8HhRLCE 7VAwQw4YnuFfRh6cWDAOD5KjqwUFkdtUYt2XRqnBeiGPzZHyGWdnT54GD1zE1Jbl PKQeLoDR6vz6dMea3KcI+EXfAuF3iMbqWFHo+SFLgNmSfE49NPxSPZtq515BWBJj wpjraBGZe05oU72+BvKd5F0U06y/7ySFcEpfFYPJhAbZ9vD4jQnsxQm7V2nGxYEl HL68PIcH2E4uzPfSYgiJ61zoYzGIyIZHHjESr5TUgLkm+BeL012PAPTvM+SVplAi 5x8i007M/BTM8q4KM0Hf1jc9S9BpOOD0qaepj/MskR8CggEAWk/xhyW7PvSmqtaB MQAO+w5Epn+Yu67QEmIiKBYqcaD74/qSyBfC7kkj1tW8eCMnFFvzl7ESIputgkGJ bQAI3JzjjtQkUvy/k6GvhGu633dPTHVoT1bgqLbyC8fez+KPqUtpGf5PQK4jsHgJ K3QxzEBO9C2hcd3OMIe2Wjykc2rHSKFV9iYAnv5p09DB2yN1/UPKVfK/bo/4jiYr 1pZcdgurknl89e8QwNssf0+axIAn2FqHXJ3hJAIFImX30Gxs1P3PUtK/V+uIyu/6 98jvxc13zj1MKKjuRjDYZDA2dvdIIqswYaGi7v79WKXRI1R+4UHQ6Vr+0fwtOJWB 88j8GQKCAQA/DH/w/eUhNy5J2Hdj8lqOCi+RBD4Cpnot6mxt5FUU+5kQ65PrW8K4 TqoieRg1a91laT5sAk0Y9OOqc3e5sSpwf8xrxgpfeoHn3sbxdJxFeRTsX1gbDU6o 5pwXolj4x4+0m0+QAX9WX0G9+FUJQZfsPbnyDs86nNI8319/pHC2sLUaKC/ukX4/ WiZUO1B7ZZSgFjy5xKdmCIl0Hgzyesi4WjEUH66PW0cjQw/uuSI3L4Sem3MSzVqT sZ7LMNYvGWNLK4JmY339bXaR0/WUwn5PFZMb7/LZAKsu0pa6VNYfOEuiwCPWJGgE NKr6gOOijax6IXxg3UlPclhSYQTXzFvFAoIBAAgtSL3lg8G06j6QDN2JJZSP+q7k t4KuJ4VQKE67J/dVUIScps+5giHs3wVw6l5ApW7WeIa9CN7youY/D/nTOQrgwqSW qgbxBKvJbl1bH+sa3iy5Ek+4Dqrkg6/M2iVjXUiJg306/XmWhajQvefWN51kPb6H QASd43CPm+yd1S2meiubMmW2baj93RJWx3dpluuzkw5Pqpew4DgYVtzfo2pUAw1v sJ4TReF8BPETcli6/3xaluRKZ4pdkKYKWvQIqUISrkIq5f0Hz40ccpSDSRkbowjz WFIE+6vTD9x3p7SD4nf8prRsvubUuHI9oK2hAM8aVPjw0U9WREOs+0QyPGg= -----END RSA PRIVATE KEY-----

[jefferai]

Hi @koweblomke ,

I can reproduce this and openssl is happy with the cert. I've filed https://github.com/golang/go/issues/18634 to track it.

[koweblomke]

Thanks!

after digging a bit more this link https://groups.google.com/forum/#!topic/mailing.openssl.users/4ZsgSvABYpI gave me the solution to our problem. Apparently openssl generated explicit parameters when generating an EC parameter file with openssl genpkey.

[vcardillo]

Is there a way to tell the vault CLI to ignore CA validation? Example:

$ vault status
Error checking seal status: Get https://172.16.4.117:8200/v1/sys/seal-status: x509: certificate signed by unknown authority

Is there a similiar -k option as there is for CURL?

[vcardillo]

VAULT_SKIP_VERIFY env var, or -tls-skip-verify CLI flag, answer my question.

[dev-rowbot]

Not sure if its relevant to this issue but I ran into the same problem a while ago. We are using letsencrypt certificates and I had to make sure that vault was using the fullchain.pem as the tls_cert_file and not cert.pem.

After pointing to the correct file and restarting vault, login worked.

[FritschAuctores]

For Powershell Users: $env:VAULT_ADDR = "https://x.x.x.x:8200" $env:VAULT_SKIP_VERIFY = "true"

[nitiprabhu]

I also faced the same issue and fixed it by explicitly mentioning VAULT_CACERT value as follows.

export VAULT_CACERT=/etc/certs/vault.crt Thanks @NithinBiliya

[john-mensel-peoplefluent]

You can also accomplish this by copying your CA cert into the OS's certificate store. For example, copying the CA cert into /etc/ssl/certs/ on ubuntu will allow the cli to recognize it as a valid CA.

[marknokes]

I also faced the same issue and fixed it by explicitly mentioning VAULT_CACERT value as follows.

export VAULT_CACERT=/etc/certs/vault.crt Thanks @NithinBiliya

Thank you! This is what took care of it for me too.