Open xeroc opened 2 years ago
Hi @xeroc, thanks for opening this. I opened https://github.com/remilapeyre/vault-acme/pull/37 that should make it possible to use this plugin with fabio. I don't have any fabio deployment myself, can you please test it and let me know if it works?
Will be looking into this as soon as I can. Thanks already
Sorry for the delay. I am currently busy with personal matters. I will still most certainly try your pull request.
Is there anything I need to consider when changing the plugin file(s)?
After updating the plugin file, you will need to update the shasum in the plugin catalog and make sure that Vault is using the new plugin, not the previous version. I think you can use sys/plugins/reload/backend to do this, restarting Vault should also work.
Thanks for the advice. Was just doing so and got a bit surprised to see my account (acme/accounts
) disappeared. Will need to set them up again, I suppose.
This patch raises an exception in fabio:
invalid log msg: 2022/10/24 19:21:59 http: TLS handshake error from 188.195.84.15:36728: vault: issue: json: cannot unmarshal string into Go struct field .ca_chain of type []string
FWIW, this is the patch I used (previously) on fabio to make it work:
https://github.com/chainsquad/fabio/commit/21fa2aebc9f95ab22068066c2cceac5048450b54
I looked into
vault-acme
because I wanted to use it in connection with fabio and consul for loadbalancing. However, it appears vault-acme is not entirely compatible with vaults usual pki infrastructure.I managed to get it to work to where it would issue certificates through ACME and got a
instead.
Turns out this block
https://github.com/fabiolb/fabio/blob/555ec6968b89b7f19becf27bf3c184832d08134c/cert/vault_pki_source.go#L71-L92
uses
certificate
,private_key
andca_chain
, while vault-acme uses these here:https://github.com/remilapeyre/vault-acme/blob/084787754999d0582f43eb050f1b6cb79cc36da1/acme/path_certs.go#L143-L152
E.g.
private_key
(:heavy_check_mark:),cert
(:red_square:) andissuer_cert
(:red_square:).I would love to see those two projects be able to talk to each other!