How to use the local `vault` CLI when using TLS

4,993 views
Skip to first unread message

Vincent Cardillo

unread,
Sep 27, 2017, 4:40:35 PM9/27/17
to Vault
Hello,

So let's assume we successfully have TLS working with Vault, via a DNS name, using a cert signed by a real CA.

Now, what is the appropriate way to use the CLI on the local machine? For example, if I'm on a particular Vault box, and want to ask it questions:

```

$ vault status

Error checking seal status: Get https://172.16.0.117:8200/v1/sys/seal-status: x509: cannot validate certificate for 172.16.0.117 because it doesn't contain any IP SANs

```

I understand what the error is saying, and why it's happening. However, what's the proper approach here? I don't want to set VAULT_ADDR to the DNS name, because then I don't know what machine the request is going to. Is there an equivalent `-k` option for the CLI, like there is for CURL?

Thanks for any help,
Vincent




Joel Thompson

unread,
Sep 27, 2017, 4:54:19 PM9/27/17
to vault...@googlegroups.com
Hi Vincent,

You can use the VAULT_SKIP_VERIFY environment variable (see https://www.vaultproject.io/docs/commands/environment.html) or the -tls-skip-verify (https://github.com/hashicorp/vault/blob/c3251b27b8115c629952bd2e2263ddb93d5bf1a3/meta/meta.go#L201) command-line flag to disable TLS certificate validation.

However, I'd recommend having a cluster DNS address and individual machine DNS addresses that you can query as well. The machines would have a TLS cert with their machine name and the cluster DNS name as SANs. This allows you to use verified TLS connections to both the cluster and to individual machines.

--Joel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e29814c4-b053-41a7-918f-6fa797f1e002%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Vincent Cardillo

unread,
Sep 27, 2017, 6:45:41 PM9/27/17
to Vault
Thanks Joel. That makes a lot of sense. And thank you for your quick response, too.

Vincent
Reply all
Reply to author
Forward
0 new messages