Vault fails to find any PEM data in certificate input
6,260 views
Skip to first unread message
Rajinder Singh
Jan 16, 2017, 9:35:24 AM1/16/17
to Vault
I am using Vault version v0.6.4
We have a wild card certificate issued by digicert.
It was a pfx file.
First I converted pfx to encrypted key file
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
I extracted the crt file
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [vault.crt]
I extracted unencrypted key file
openssl rsa -in [keyfile-encrypted.key] -out [vault.key]
vault.crt and vault.key were copied to c:\opt\vault\data directory
vault.crt looks like this:
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
vault.key looks like this:
-----BEGIN RSA PRIVATE KEY-----
xxx
-----END RSA PRIVATE KEY-----
Here is how the vault.hcl looks like:
backend "consul" {
path = "vault"
address = "127.0.0.1:8500"
advertise_addr = "https://DNS_Name_For_AzureLoadBalancer_For_Vault:8200"
}
cluster_name = "myclustername"
disable_mlock = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "C:\\opt\\vault\\data\\vault.crt"
tls_key_file = "C:\\opt\\vault\\data\\vault.key"
}
Here is the error I am seeing repeatedly.
Error initializing listener of type tcp: error loading TLS cert: tls: failed to find any PEM data in certificate input
Do I need to add intermedia CA cert?
What else can cause this error?
Thanks
Jeff Mitchell
Jan 16, 2017, 10:25:46 AM1/16/17
to vault...@googlegroups.com
Hi,
Any chance you can share vault.crt (not the private key, just the public certificate)?
Thanks,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4fa38833-a69a-4afa-b25a-bd8a8a1e2331%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rajinder Singh
Jan 16, 2017, 11:52:16 AM1/16/17
to Vault
I have attached the public crt file.
Thanks
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Jeff Mitchell
Jan 16, 2017, 12:17:18 PM1/16/17
to vault...@googlegroups.com
Hi Rajinder,
Your certificate file has a bunch of text at the top (seems like Chef
data bag attributes?) -- this is probably confusing the parser in Go,
which is expecting a pure PEM file.
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/5143be2d-99a3-4983-a53e-cee0e41d81bd%40googlegroups.com.
Your certificate file has a bunch of text at the top (seems like Chef
data bag attributes?) -- this is probably confusing the parser in Go,
which is expecting a pure PEM file.
Best,
Jeff
Rajinder Singh
Jan 16, 2017, 12:30:39 PM1/16/17
to Vault
I had removed the stuff at the top so it looked like this. I got the error when certificate looked like the format below.
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
Jeff Mitchell
Jan 16, 2017, 1:58:18 PM1/16/17
to vault...@googlegroups.com
Hi Rajinder,
I'm still trying to dig into this, although so far without luck. The
error you're seeing comes from this line in Go:
https://golang.org/src/crypto/tls/tls.go#L213
In this test program: https://play.golang.org/p/6mp1k5HCoh I replicate
the logic leading up to that line exactly with your certificate and do
not see the same error.
Can you double check that the file you're giving to Vault contains the
proper PEM headers/footers without any extra items before/after?
Thanks,
Jeff
> https://groups.google.com/d/msgid/vault-tool/c8ecf345-5251-4416-a586-81a3a99cbaa6%40googlegroups.com.
I'm still trying to dig into this, although so far without luck. The
error you're seeing comes from this line in Go:
https://golang.org/src/crypto/tls/tls.go#L213
In this test program: https://play.golang.org/p/6mp1k5HCoh I replicate
the logic leading up to that line exactly with your certificate and do
not see the same error.
Can you double check that the file you're giving to Vault contains the
proper PEM headers/footers without any extra items before/after?
Thanks,
Jeff
Rajinder Singh
Jan 16, 2017, 3:49:29 PM1/16/17
to Vault
Jeff,
Thanks for trying to help me. I get better support here than paid support I get from many other vendors.
We are on Azure platform on windows. A powershell script stored in azure blob storage was creating the vautl.crt/vault.key files on the vault instance.
My guess is that there were some invisible characters that were causing this error.
I was told by my team to use a self-signed cert.
I tried self signed certificate and it worked fine.
Raj
Jeff Mitchell
Jan 16, 2017, 4:04:20 PM1/16/17
to vault...@googlegroups.com
Hi Raj,
Glad to hear that you've made some progress! Hopefully you'll be able
to trim the original files successfully so everything works with the
original cert.
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/da74aad0-aa24-415f-9b6f-304bef541167%40googlegroups.com.
Glad to hear that you've made some progress! Hopefully you'll be able
to trim the original files successfully so everything works with the
original cert.
Best,
Jeff
Rajinder Singh
Jan 18, 2017, 8:14:08 PM1/18/17
to Vault
Jeff,
I did find out the cause of PEM error.
It was an encoding issue.
PowerShell was writing the vault.crt and vault.key in unicode.
I changed the encoding to ascii and the issue went away.
Raj
Jeff Mitchell
Jan 18, 2017, 8:17:58 PM1/18/17
to vault...@googlegroups.com
Great!
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7d598151-6f8d-417f-8257-854232120ae9%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages