Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accurate errors when CA certificate file inaccessible #3471

Closed
brianshumate opened this issue Oct 18, 2017 · 2 comments
Closed

Accurate errors when CA certificate file inaccessible #3471

brianshumate opened this issue Oct 18, 2017 · 2 comments
Milestone
0.9.1

Comments

@brianshumate
Copy link
Member

Environment:

  • Vault Version: Vault v0.8.3 ('6b29fb2b7f70ed538ee2b3c057335d706b6d4e36')
  • Operating System/Architecture: macOS 10.12.6

Vault Config File:

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = "false"
  tls_cert_file = "/tmp/vault.crt"
  tls_key_file = "/vault.key"
}

storage "file" {
  path    = "/tmp/data"
}

disable_mlock = 1
plugin_directory = "/tmp/plugins"

Expected Behavior:

Vault should stat the provided certificate file path and ensure that the file exists and is accessible to the Vault user before attempting to validate the certificate and provide a relevant error message (i.e. when the file does not exist) when it cannot do so.

Actual Behavior:

vault init -ca-cert=/path/to/nonexistent/certificate.crt
Error initializing Vault: Put https://localhost:8200/v1/sys/init: x509: certificate signed by unknown authority

Steps to Reproduce:

vault init -ca-cert=/path/to/nonexistent/certificate.crt

This would be super helpful for avoiding extraneous certificate signed by unknown authority errors, which in turn can become a false lead for troubleshooting.
@jefferai jefferai added this to the 0.9.1 milestone Nov 30, 2017
@chrishoffman
Copy link
Contributor

I have been unable to recreate this issue. When I run vault init with a missing CA certificate, I get the following.

$ vault init -ca-cert=/path/to/nonexisting/certificate.crt
Error initializing client: Error loading CA File: open /path/to/nonexisting/certificate.crt: no such file or directory

@brianshumate
Copy link
Member Author

Hmmm, I originally reported this on v0.8.3 and when I try those versions, it appears that the non-existent -ca-cert path is simply ignored:

$ vault version
Vault v0.8.3 ('6b29fb2b7f70ed538ee2b3c057335d706b6d4e36')

$ vault init -ca-cert=/path/to/nonexisting/certificate.crt
Unseal Key 1: IoEJGGcV6WJmu6WNJ8srEHvuJybhPAEPfRpgB6XTziMY
Unseal Key 2: UCSJaRKRssjIqvy86A/rOqIs67x0BFb+429wVd1GdrDR
Unseal Key 3: YL8wFzO3WZr2RfWXCx5weFoQJo27Urv+Yu81bixZrbII
Unseal Key 4: glHxpvezHWgZxp8S2g6EZJOf/Aa0V6WKov9DdfkLtVMf
Unseal Key 5: qihrNPruZ3mjoOYsmO8/dUGAKF3Lc4qAeZjY9wPXZWcC
Initial Root Token: a77974a8-49c6-278f-b62f-c2446c65e552

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your vault will remain permanently sealed.

which sets up the originally reported issue.

That said, I can confirm that this is fixed in v0.9.0 and I get the same error you do.

Going to close this now, thanks @chrishoffman!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.9.1
Development

No branches or pull requests
3 participants
@jefferai @brianshumate @chrishoffman