Using PKI backend to generate Consul Certs - key usage error

[Chris]

So I got the latest Vault update and was messing around with using the PKI backend to generate certificates for Consul Raft and I'm running into an issue. Consul requires that the cert be configured for Server and Client auth, which the PKI backend is set to that by default, so ok. Here's the pki role I'm using:

 vault read pki/roles/role-name
Key                        Value
key_type                   rsa
lease
allowed_domains            fakedomain.com
allow_bare_domains         false
client_flag                true
code_signing_flag          false
allow_any_name             false
allowed_base_domain
email_protection_flag      false
key_bits                   2048
lease_max
server_flag                true
allow_localhost            true
allow_ip_sans              true
allow_subdomains           true
allow_token_displayname    false
enforce_hostnames          true
max_ttl                    52600h
ttl                        (system default, capped to role max)
use_csr_common_name        true
allow_base_domain          false

Generating the cert and evaluating it with openssl I can see the extensions:

X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

Comparing to a certificate that did work, the only difference I can see is "X509v3 Key Usage: critical". I'm not super familiar with what the critical stands for but from the info I can find, it sounds like with critical set, the cert could be rejected if it is not used explicitly for all of those purposes, but maybe I'm reading it wrong.

The Consul error log shows:

2016/01/25 19:51:27 [ERR] raft: Failed to make RequestVote RPC to x.x.x.x:8300: remote error: bad certificate

2016/01/25 19:51:28 [ERR] consul.rpc: failed to read byte: tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage

 

With the option available to me through Vault API or client, I don't see a way to generate the cert any different to make it work with Consul. Can anyone help out here?

[Jeff Mitchell]

Hi,

I believe this issue is already fixed in master
(https://github.com/hashicorp/vault/issues/846). Any chance you can
try that? I can make a build for you if needed, or simply fetch the
git repo and run "make dev" if you have a working Go install.

Thanks,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/16615f84-7147-4d18-b62a-25174cd187ea%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Chris]

Oh! Shoot I guess I should've checked Github. Is this a change that will be going into the next major release? I'm wondering the dangers of trading my "official" build for a dev build on a production system...

[Jeff Mitchell]

Hi Chris,

This change will indeed be in the next version. If you wanted to check that things were fixed you could set up a dev Vault server with the same role parameters and issue a cert, then pull it into a dev Consul to make sure it accepts it.

--Jeff

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/bda6242b-27ce-41e3-8adf-c73b6c8a5caf%40googlegroups.com.