remilapeyre / vault-acme

Mozilla Public License 2.0
94 stars 24 forks source link

Not compatible with fabio #34

Open xeroc opened 2 years ago

xeroc commented 2 years ago

I looked into vault-acme because I wanted to use it in connection with fabio and consul for loadbalancing. However, it appears vault-acme is not entirely compatible with vaults usual pki infrastructure.

I managed to get it to work to where it would issue certificates through ACME and got a

invalid log msg: 2022/09/06 13:34:13 http: TLS handshake error from 188.195.84.15:38212: vault: issue: missing certificate

instead.

Turns out this block

https://github.com/fabiolb/fabio/blob/555ec6968b89b7f19becf27bf3c184832d08134c/cert/vault_pki_source.go#L71-L92

uses certificate, private_key and ca_chain, while vault-acme uses these here:

https://github.com/remilapeyre/vault-acme/blob/084787754999d0582f43eb050f1b6cb79cc36da1/acme/path_certs.go#L143-L152

E.g. private_key (:heavy_check_mark:), cert (:red_square:) and issuer_cert (:red_square:).

I would love to see those two projects be able to talk to each other!

remilapeyre commented 2 years ago

Hi @xeroc, thanks for opening this. I opened https://github.com/remilapeyre/vault-acme/pull/37 that should make it possible to use this plugin with fabio. I don't have any fabio deployment myself, can you please test it and let me know if it works?

xeroc commented 2 years ago

Will be looking into this as soon as I can. Thanks already

xeroc commented 2 years ago

Sorry for the delay. I am currently busy with personal matters. I will still most certainly try your pull request.

xeroc commented 2 years ago

Is there anything I need to consider when changing the plugin file(s)?

remilapeyre commented 2 years ago

After updating the plugin file, you will need to update the shasum in the plugin catalog and make sure that Vault is using the new plugin, not the previous version. I think you can use sys/plugins/reload/backend to do this, restarting Vault should also work.

xeroc commented 2 years ago

Thanks for the advice. Was just doing so and got a bit surprised to see my account (acme/accounts) disappeared. Will need to set them up again, I suppose.

xeroc commented 2 years ago

This patch raises an exception in fabio:

invalid log msg: 2022/10/24 19:21:59 http: TLS handshake error from 188.195.84.15:36728: vault: issue: json: cannot unmarshal string into Go struct field .ca_chain of type []string

FWIW, this is the patch I used (previously) on fabio to make it work:

https://github.com/chainsquad/fabio/commit/21fa2aebc9f95ab22068066c2cceac5048450b54