You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I am having issues relating to setup plugin for vault. While vault works fine and i could get the secrets as injector with tls enabled, but setting up plugins is hitting a roadblock.
While writing the config file for plugin, i get the error.
To Reproduce
vault write sys/plugins/catalog/secret/op-connect \
sha_256="$(sha256sum /vault/data/plugins/op-connect | cut -d " " -f1)" \
command="op-connect -ca-cert=/vault/userconfig/vault-server-tls/vault.ca"
vault secrets enable --plugin-name='op-connect' --path="op" plugin
// I get a issue here
vault write op/config @op-connect-config.json
secrets.op-connect.op-connect_96388717.op-connect.op-connect: plugin tls init: error="error during token unwrap request: Put \"https://10.4.1.8:8200/v1/sys/wrapping/unwrap\": x509: certificate is valid for 127.0.0.1, 34.xx.xx.xx, not 10.4.1.8" timestamp=2022-02-17T18:06:44.542Z
2022-02-17T18:06:44.547Z [INFO] http: TLS handshake error from 10.4.1.8:43720: remote error: tls: bad certificate
Not sure why the API_ADDR is the pod ip, which is not present in the SAN of the csr as seen below
Vault Server Version (retrieve with vault status):
vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.9.3
Storage Type raft
Cluster Name vault-cluster-9145a1af
Cluster ID 185abbbc-2241-3420-93b4-8e094ee35709
HA Enabled true
HA Cluster https://vault-0.vault-internal:8201
HA Mode active
Active Since 2022-02-17T17:42:03.729233783Z
Raft Committed Index 246
Raft Applied Index 246
Hi, @SachinMaharana. Thank you for your engagement! Our use of GitHub issues is meant to enable the Vault community the to submit feature requests and bug reports. The Vault Discuss forum is the best venue to seek feedback on general usage issues. It appears that you have submitted a similar issue there already. As such, I'm going to close this issue.
The problem reported here relates in part to the issue #15070 that I opened.
Specifically, Vault plugins connect back to the api_addr of the Vault that started them, as part of their initialization.
This is an obscure detail that I haven't found documented anywhere, and needed to learn from the source code.
Therefore what is going wrong here, is that the user is attempting to run a Vault configured with an SSL certificate that is not valid for the hostname/IP address in its configured api_addr.
My issue #15070 goes into further detail about why I think plugins should not use api_addr as part of their initialization.
Describe the bug
I am having issues relating to setup plugin for vault. While vault works fine and i could get the secrets as injector with tls enabled, but setting up plugins is hitting a roadblock.
While writing the config file for plugin, i get the error.
To Reproduce
Not sure why the API_ADDR is the pod ip, which is not present in the SAN of the csr as seen below
My CSR config is
Any hint would be of great help. Thanks
Steps to reproduce the behavior:
vault write ...
vault login....
Expected behavior
Expected the plugin to work
Environment:
vault status
):vault version
):Kubernetes with vault helm chart, HA, Integrated Storage, TLS enabled
Vault server configuration file(s):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: