TLS Setup for Wildcard Certificates
183 views
Skip to first unread message
Adam Carlin
Dec 7, 2017, 6:03:04 PM12/7/17
to Vault
Hi,
I am trying to setup Vault in production but wanted to use a wildcard certificate *.blahblah.net and here's the config...
Then I issue a kill -1 to reload config. No errors in log here and run vault status commands with spits out...
Does the certificate have to have IP addresses associated with it? Can it not be associated with wildcard domains? If so, how?
Thanks,
Adam
I am trying to setup Vault in production but wanted to use a wildcard certificate *.blahblah.net and here's the config...
{
"default_lease_ttl": "24h",
"storage": {
"consul": {
"address": "XXX.XXX.XXX.XXX:8500",
"path": "vault"
}
},
"listener": {
"tcp": {
"address": "blah01.blahblah.net:8200",
"tls_cert_file":"/var/lib/vault/ssl/digibundle.crt",
"tls_key_file":"/var/lib/vault/ssl/vault.key"
}
},
"telemetry": {
"statsd_address": "poopybutthole.blahblah.net:20001"
},
"default_lease_ttl": "1h"
}Then I issue a kill -1 to reload config. No errors in log here and run vault status commands with spits out...
Error checking seal status: Get https://XXX.XXX.XXX.XXX:8200/v1/sys/seal-status: x509: cannot validate certificate for XXX.XXX.XXX.XXX because it doesn't contain any IP SANs
Does the certificate have to have IP addresses associated with it? Can it not be associated with wildcard domains? If so, how?
Thanks,
Adam
Jeff Mitchell
Dec 7, 2017, 6:21:17 PM12/7/17
to Vault
Hi Adam,
The certificate doesn't need to have IP SANs unless you connect to it via IP -- in which case it's critical :-)
If you connect to it via DNS name instead it ought to work fine.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/782f1d46-ed28-4d22-862c-a7a953807394%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Adam Carlin
Dec 7, 2017, 6:42:38 PM12/7/17
to Vault
Ah thanks for pointing out my dum dum :D I had issued vault status command via IP instead of URL so after correcting that copy/paste error, it works flawlessly! Thanks and sorry! Long day :\
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages