-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault agent certificate authentication error #10835
Comments
Here is the error ==> Vault agent started! Log data will stream in below: ==> Vault agent configuration:
2021-02-02T13:59:23.485-0700 [INFO] sink.file: creating file sink URL: PUT https://active.vault.service.consul.domain.us:8200/v1/cert/certs/test0/login 1 error occurred: |
Since you're providing a
|
Then I get..... sudo -u vault /usr/local/bin/vault agent -config=/etc/vault.d/vault.hcl ==> Vault agent configuration:
2021-02-16T14:12:43.981-0700 [INFO] sink.file: creating file sink URL: PUT https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/login
|
You'll also have to include the client_cert in the |
Actually I had all the cert config under the "cert" stanza....so it either want both or under the "vault" stanza So what I am finding is that it currently requires the cert configuration info under the "vault" stanza and the full path as you described. `vault { } sink "file" { This does not" sink "file" { |
What's the error that you get when using the second config? |
If the server is not is not set up with mTLS, try providing just the |
The error with the second config is |
This config does not work: `vault { } sink "file" { results in the same error: URL: PUT https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/login
|
Thanks for running that! I'm scanning through the codebase, but can't quite figure out why providing the info in the method stanza won't work. Can you run agent with -log-level=trace and see if |
Yes it does...here is the complete output.. ==> Vault agent configuration:
2021-02-16T16:08:47.944-0700 [INFO] sink.file: creating file sink URL: PUT https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/login
|
Yes, correct the log level in the config file has no effect. |
Thanks for the quick response. I'll have to circle back to this, but it looks like you are able to proceed by providing the TLS information in the vault stanza. |
with testing maybe but with the security issue of using it in the vault stanza I can't go any further. because yes, I am planning on using cache I was just simplifying the config as far down as I could to figure out the issue. |
I see. Thanks for bringing this to our attention! |
One more question -- What does the config on the Vault server look like? I'm particularly interested on whether |
vault.hcl (server)
|
@datadude816 the tag on #11576 resulted in this issue being automatically closed when it got merged. Can you give this another try with a build from master and see if the issue persists. Alternatively, you can wait until the Vault 1.7.2 release which should come out soon. Feel free to re-open if the PR doesn't address this issue! |
Describe the bug
When using the vault agent for auto-auth with cert auth
To Reproduce
Steps to reproduce the behavior:
sudo -u vault /usr/local/bin/vault agent -config=/etc/vault.d/vault.hcl
Expected behavior
I expect the successful authentication with the token populated in the file specified in the config file.
Environment:
vault status
): 1.6.2 and 1.5.3vault version
): 1.6.2 and 1.5.3Vault server configuration file(s):
Vault agent config
vault { tls_disable = false client_key = “/etc/pki/tls/certs/machine.key” client_cert = “/etc/pki/tls/certs/machine.pem” ca_cert = “/etc/pki/ca-trust/source/anchors/CA.pem” address = “https://active.vault.service.consul.domain.us:8200” } pid_file = “/var/vault/.pidfile” exit_after_auth = false auto_auth { method “cert” { name = “p5520” mount_path = “cert/certs/test0” } sink “file” { config = { path = “/var/vault/token” } } }
Additional context
Using the same certificate as the agent I can authenticate just fine with the CLI and the API using curl
`sudo -u vault curl \
--request POST
--cert "/etc/pki/tls/certs/machine.pem"
--key "/etc/pki/tls/certs/machine.key"
--data '{"name": "p5520"}'
https://active.vault.service.consul.domain.us:8200/v1/auth/cert/certs/test0/login
{“request_id”:“0cb89ae4-f353-f548-fef6-836f5d06d02d”,“lease_id”:"",“renewable”:false,“lease_duration”:0,“data”:null,“wrap_info”:null,“warnings”:null,“auth”:{“client_token”:“s.IQHi4lE3OrG8A0vlskVuQG3L”,“accessor”:“9fxoyhm3yPl0dq7PQhCEjSTz”,“policies”:[“test”],“token_policies”:[“test”],“metadata”:{“authority_key_id”:“06:d9:9f:85:c0:07:11:04:f2:72:49:74:20:22:25:35:9e:99:1a:3c”,“cert_name”:“p5520”,“common_name”:“p5520-ada.domain.us”,“serial_number”:“345185377614830858”,“subject_key_id”:“51:77:01:60:d8:22:a9:01:1e:79:05:68:f2:77:02:9b:3b:31:e3:00”},“lease_duration”:2764800,“renewable”:true,“entity_id”:“5fcb2a3e-f22e-ceaa-d31b-9d387529d657”,“token_type”:“service”,“orphan”:true}}`
`sudo -u vault -E /usr/local/bin/vault login -method=cert -path=cert/certs/test0/ -client-cert=/etc/pki/tls/certs/machine.pem -client-key=/etc/pki/tls/certs/machine.key name=p5520
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.
Key Value
token s.6qIIi9T7gvoOmLyVW7123456
token_accessor REhHEhJv89F3OYizwqr12345
token_duration 768h
token_renewable true
token_policies [“test”]
identity_policies
policies [“test”]
token_meta_common_name p5520-ada.domain.us
token_meta_serial_number 345185377614830858
token_meta_subject_key_id 51:77:01:60:d8:22:a9:01:1e:79:05:68:f2:77:02:9b:3b:31:e3:00
token_meta_authority_key_id 06:d9:9f:85:c0:07:11:04:f2:72:49:45:20:22:25:35:9e:45:1a:3c
token_meta_cert_name p5520`
The text was updated successfully, but these errors were encountered: