Understanding tls_require_and_verify_client_cert and client validation.
367 views
Skip to first unread message
Bharath B
Dec 14, 2017, 7:39:34 AM12/14/17
to Vault
Hello Team,
I am using Vault v0.7.3 version, and when I use tls_require_and_verify_client_cert in vault configuration, client validation fails with "2017/12/14 13:10:22 http: TLS handshake error from 10.255.14.95:26294: tls: failed to verify client's certificate: x509: certificate signed by unknown authority" error.
tls_cert_file is listener block has server certificate followed by CA certificate, but this CA certificate is not being used by vault for client validation.
And instead if CA certificate is included in system-bundle, then client validation is done successfully, but problem with this approach is system-bundle is available for every user and we don't want our CA certificate to be accessible for every user.
Why CA certificate in tls_cert_file is not being used for client validation, what is the use of CA certificate in tls_cert_file?
Thanks in advance,
Bharath B
Jeff Mitchell
Dec 15, 2017, 10:11:20 AM12/15/17
to Vault
Hi Bharath,
tls_cert_file holds the CA chain for the server cert. This is different from the CA chain for client validation, which can be specified with tls_client_ca_file.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7c494714-bfc0-4f31-ae49-76ad11a8dec4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bharath B
Dec 18, 2017, 12:05:26 AM12/18/17
to Vault
Hi Jeff,
Thanks for the reply.
But Vault v0.7.3 doesn't have tls_client_ca_file, please let me know if this is correct and if we have any other way to provide CA for client validation.
Thanks and Regards,
Bharath B
On Friday, 15 December 2017 20:41:20 UTC+5:30, Jeff Mitchell wrote:
Hi Bharath,tls_cert_file holds the CA chain for the server cert. This is different from the CA chain for client validation, which can be specified with tls_client_ca_file.Best,Jeff
On Thu, Dec 14, 2017 at 7:39 AM, Bharath B <bharath...@gmail.com> wrote:
Hello Team,I am using Vault v0.7.3 version, and when I use tls_require_and_verify_client_cert in vault configuration, client validation fails with "2017/12/14 13:10:22 http: TLS handshake error from 10.255.14.95:26294: tls: failed to verify client's certificate: x509: certificate signed by unknown authority" error.tls_cert_file is listener block has server certificate followed by CA certificate, but this CA certificate is not being used by vault for client validation.And instead if CA certificate is included in system-bundle, then client validation is done successfully, but problem with this approach is system-bundle is available for every user and we don't want our CA certificate to be accessible for every user.Why CA certificate in tls_cert_file is not being used for client validation, what is the use of CA certificate in tls_cert_file?Thanks in advance,Bharath B
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Jeff Mitchell
Dec 18, 2017, 9:28:26 AM12/18/17
to Vault
Hi Bharath,
On Mon, Dec 18, 2017 at 12:05 AM, Bharath B <bharath...@gmail.com> wrote:
> Hi Jeff,
>
> Thanks for the reply.
>
> But Vault v0.7.3 doesn't have tls_client_ca_file, please let me know if this
> is correct and if we have any other way to provide CA for client validation.
That is correct, the option appeared in 0.8.0.
Best,
Jeff
On Mon, Dec 18, 2017 at 12:05 AM, Bharath B <bharath...@gmail.com> wrote:
> Hi Jeff,
>
> Thanks for the reply.
>
> But Vault v0.7.3 doesn't have tls_client_ca_file, please let me know if this
> is correct and if we have any other way to provide CA for client validation.
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages