Agent unable to connect to Vault because of cert issue

[andrewjkeith]

I'm having a problem with a puppet agent connecting to the vault cluster because of a cert issue. The vault endpoint is a puppet agent as well under the same primary server.
The vault listener is setup with a cert that was created off of our root issuing cert infra, but the puppet CA cert is separate.
The agent is setup to trust any cert signed by the root cert, but it appears the Puppet HTTP client is not trusting the cert.
I have tried adding the vault cert to the agent's CA bundle as described here: https://support.puppet.com/hc/en-us/articles/115000390993-Add-certificates-to-the-Puppet-certificate-bundle-in-Puppet-Enterprise
(I know I'm trying the approle auth that was just released but I suspect I would have this same issue with cert auth.)

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 2019.8.11 / 6.27.0
• Distribution: RHEL 8
• Module version: d00dda5

How to reproduce (e.g Puppet code you use)

  $role_id = 'xxxxxx'
  $secret_id = 'yyyyy'

  $d = Deferred('vault_lookup::lookup', ['aws/creds/build_role', 'https://vault:8200', nil, nil, nil, nil, 'approle', $role_id, $secret_id, nil])

  notify { 'vault':
    message => $d,
  }

Vault tcp listener

      "tcp": {
        "address": "<ipaddr>:8200",
        "tls_cert_file": "/etc/vault/vault.cer",
        "tls_key_file": "/etc/vault/vault.key"
      }

What are you seeing

when puppet is run:

Failed to apply catalog: certificate verify failed [unable to get local issuer certificate for ,CN=vault,OU=....]

What behaviour did you expect instead

successful puppet run

[BobSF67]

I think you need to use actual values where you have 'nil' or at least use '', but I don't think the .nil checks in the code will handle that right.

I think the code needs something like this:
if name.nil? || name.empty?

[andrewjkeith]

@BobSF67
i'm fairly certain that the function is getting to the api call in get_token. i have added more info in the OP

[natemccurdy]

@andrewjkeith nil in Puppet is treated as the literal string "nil". Since the lookup function takes positional arguments, you'll want to use undef instead.

For example, try this:

$role_id = 'xxxxxx'
$secret_id = 'yyyyy'

$d = Deferred('vault_lookup::lookup', ['aws/creds/build_role', 'https://vault:8200', undef, undef, undef, undef, 'approle', $role_id, $secret_id])

notify { 'vault':
  message => $d,
}

Also note that as of PR #64 , you can use a hash of options rather than positional arguments. Which would make this simpler for you.
However that change hasn't been released yet, so you'll need to wait for the next version of this module after 0.6.0.

$role_id = 'xxxxxx'
$secret_id = 'yyyyy'

# This will only work after version 0.6.0 of the module:
$d = Deferred('vault_lookup::lookup', ['aws/creds/build_role', {
  'vault_addr'  => 'https://vault:8200',
  'auth_method' => 'approle',
  'role_id'     => $role_id,
  'secret_id'   => $secret_id,
}])

notify { 'vault':
  message => $d,
}

[natemccurdy]

Closing this issue as the problem was due to improperly calling the function with positional arguments. Use undef instead of nil. Or even better, use the options hash as the 2nd argument like in the example from my comment above.

The options hash feature is available as of version 0.7.0.