applications fail with 'client certificate must be supplied'

[paul.car...@gmail.com]

I have a go library that accesses vault using golang api.  My tests work fine, running it in docker and minikube but when I update the glide.yaml in the applications that use this code to use vault 0.9.x as opposed to 0.8.3 they fail to login with 'client certificate must be supplied'....

2018-01-31T17:00:32.7209004 info    keymgr.go:924   certificate login error: at keymgr.go:618 - key mangager write operation on auth/mgmt/login failed, Error making API request.

URL: PUT https://secmgr:8200/v1/auth/mgmt/login

Code: 400. Errors:

* client certificate must be supplied

As I say I have my test application that works fine, that uses go dep to build the vendor directory.

Any ideas?

Thanks

Paul

[Chris Hoffman]

I'm not sure why this issue has just started happening but in 0.9.0 an option was added to vault's config to disable client cert checking. The default behavior is vault is to request the certs when they are available but this can cause problems in certain situation so the config option was added.  

https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable_client_certs

Chris

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8379d8ea-4dad-4828-9ab7-b5979880c8ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[paul.car...@gmail.com]

This is the right area but I have not set this so I'd expect client certificates to be passed through, the call that is failing is an attempt to login using a client certificate so the certificate is pretty much required!

[Chris Hoffman]

I misunderstood that you were trying to login with certs :). Can you provide an example cert that you are trying to log in with?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/17db13a2-b3b7-4332-80a4-c28ea39ddb9d%40googlegroups.com.

[paul.car...@gmail.com]

Chris

This is one

openssl x509 -text -in secmgr.crt 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            77:29:5e:97:c8:13:60:b0:06:1d:e9:a0:be:27:e7:aa:f2:60:a2:39

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: O=HPE, OU=cust-0001, CN=mgmt CA

        Validity

            Not Before: Jan 31 17:20:48 2018 GMT

            Not After : Jan 31 17:21:18 2019 GMT

        Subject: OU=cloud-mgmt, OU=cust-0001, OU=serv-sec, CN=secmgr

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (4096 bit)

                Modulus:

                    00:b2:59:84:55:71:88:44:bc:d8:28:b6:5f:d6:64:

                    36:3e:14:59:0c:4a:6c:b8:ee:a9:60:b7:9b:d5:07:

                    36:5b:9a:97:35:c9:e7:94:12:59:a2:e0:ed:09:8f:

                    56:7d:84:58:0d:24:e8:85:d4:06:5a:06:31:2f:f0:

                    51:83:b2:54:16:11:55:a0:c3:0d:f5:da:62:a1:8d:

                    54:98:c3:19:1c:cd:9c:bf:99:fe:a9:51:67:1f:c1:

                    cf:fa:c4:48:e4:66:16:9a:7e:f7:1a:0f:79:08:f1:

                    ff:01:63:0d:60:41:e0:67:87:a2:1e:6d:15:9b:2f:

                    6d:81:a9:5c:89:32:5c:d7:f0:eb:52:84:6c:a8:48:

                    97:74:c2:70:9d:de:09:fd:1f:9f:78:96:e9:5a:9b:

                    5e:a7:f8:f2:05:a5:83:e9:56:77:c8:2f:12:39:73:

                    89:ee:98:f1:db:fc:f1:00:2c:dd:d4:1b:58:66:4a:

                    40:6b:84:66:e3:e2:5e:68:1a:0d:f9:7c:8f:5e:67:

                    83:f8:dc:0b:93:52:2a:9b:65:dd:bb:5f:bc:ac:b1:

                    f3:31:34:e8:b4:6a:53:09:f0:d6:c8:23:d6:ff:7f:

                    97:89:9d:00:5d:cf:b5:6e:a2:e4:1c:85:73:d9:64:

                    e8:da:56:11:bd:16:28:30:4a:17:d3:5e:5d:5b:f9:

                    57:13:0f:cc:ec:0c:0f:c4:f2:64:c0:89:11:a1:6d:

                    e9:32:47:2f:68:04:0c:69:e9:04:f4:fe:56:fd:92:

                    ac:04:27:25:b9:0d:f3:ae:d2:ed:ed:53:c6:5f:38:

                    80:c0:89:a9:41:e5:88:bd:7f:f0:8a:4d:a0:5d:19:

                    45:b8:5c:80:88:2d:f5:14:67:64:74:00:b5:24:8a:

                    88:a1:dd:d4:2e:ae:c0:00:f2:f4:cb:28:ec:d5:c8:

                    0c:d4:69:70:eb:52:c7:7e:49:5e:a5:36:5b:2b:73:

                    fc:17:f4:51:75:6c:1c:07:de:92:64:ec:b6:57:f0:

                    eb:bf:b8:50:f9:87:89:f9:5a:4e:fb:b7:48:75:66:

                    5f:49:c6:48:43:34:9f:0f:28:3a:99:c2:fa:22:13:

                    99:b0:39:df:65:a9:ab:b9:39:39:ba:e6:ad:be:e6:

                    0a:fa:c9:84:b5:84:6b:f9:9b:56:ea:52:fd:2c:86:

                    a0:e4:0a:3a:1d:de:e6:06:f7:ab:6b:ce:05:84:0b:

                    15:63:87:4c:b4:d5:63:64:9a:95:02:4c:05:99:d5:

                    27:a3:fc:3f:da:c1:87:de:d4:cc:04:5e:9b:11:4d:

                    61:7b:56:e7:69:3c:8c:ab:3d:b5:ff:31:65:d6:46:

                    f7:7d:9d:03:d2:35:18:94:99:47:35:bf:39:b4:08:

                    e3:bd:17

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment, Key Agreement

            X509v3 Extended Key Usage: 

                TLS Web Client Authentication

            X509v3 Subject Key Identifier: 

                8F:80:1C:2C:59:24:14:E7:3D:B8:0E:B7:9D:F0:EB:0D:F1:FA:66:49

            X509v3 Authority Key Identifier: 

                keyid:10:11:FF:2F:32:B6:0A:48:A0:3B:3A:7E:C8:62:A7:2A:35:4D:62:C3

    Signature Algorithm: sha256WithRSAEncryption

         be:87:8d:8a:62:14:fa:63:60:8e:73:ea:91:0b:cd:cc:c6:9e:

         43:ee:6a:af:0d:7d:69:96:77:2a:d2:82:15:2f:2b:bb:37:90:

         ba:5a:86:ee:91:26:32:83:31:99:7c:24:bc:3d:1e:71:72:50:

         ff:ad:45:9b:0d:5c:ed:63:7f:2e:da:d1:87:d3:e9:49:52:a0:

         7b:8c:04:d4:aa:79:40:b2:8c:91:19:24:37:a9:cd:13:83:83:

         4b:31:a1:7c:8e:1e:4f:1d:cb:c5:92:e1:de:aa:38:fc:21:67:

         90:09:f2:24:cf:8f:f8:6b:0b:28:d2:63:82:a6:4c:7a:90:ac:

         d3:26:b2:05:ad:fe:4c:4f:96:57:f5:5d:66:ea:c6:3b:e5:00:

         97:09:eb:5c:0c:4f:40:c9:d4:b8:57:43:87:b1:33:7f:1e:21:

         e1:eb:9f:50:31:ec:8d:6d:ad:83:5c:c7:da:3d:bf:04:e1:3c:

         65:4f:b2:c6:48:e4:5d:ab:54:92:d0:1b:0a:14:14:23:32:ca:

         ec:ea:1e:85:b3:9a:ca:fc:e7:d5:d6:7a:6c:c1:5e:05:bb:72:

         74:c5:2a:3e:15:d8:47:38:14:1d:7a:98:15:6a:fd:a9:da:ed:

         1c:a2:d9:5d:54:0d:6a:a5:a7:7c:c9:4d:d5:80:ff:fc:5f:3c:

         41:81:f8:ca:7c:60:9a:5e:1b:53:5e:ca:8c:d5:d7:20:cb:eb:

         e6:35:70:ab:55:36:b5:af:cc:9e:89:2f:c7:2f:46:19:c7:a7:

         21:0c:cc:57:75:9b:3d:36:20:e4:0f:46:25:44:54:a0:c5:ab:

         80:52:3f:6e:8e:57:69:1d:5c:52:0c:17:78:a3:ad:35:a8:c6:

         9b:27:ff:4f:c6:7c:c3:88:d5:64:45:8e:2f:27:2b:69:e6:7e:

         55:73:2d:d1:18:c5:e5:91:83:7f:b5:4c:5f:05:e5:d0:74:05:

         61:5b:2b:ed:10:57:fa:19:dd:c6:e1:73:47:78:aa:f2:6f:e4:

         57:4d:08:41:8a:47:7c:51:d4:1b:f3:3a:1b:65:2b:90:c3:16:

         76:3f:f7:76:16:bf:7a:e3:ac:83:1f:bf:65:4e:3e:41:7f:d7:

         6d:78:a4:49:b1:43:7b:a2:8a:56:10:0b:c7:68:83:9b:de:34:

         3a:76:bd:c9:ff:a8:43:bf:67:3a:be:f1:38:f1:ab:60:73:cf:

         e4:e1:03:37:cc:56:53:2c:32:79:eb:36:dd:f3:b5:a1:5d:25:

         c9:c7:42:55:43:dd:ae:7e:27:0f:cd:d4:60:60:c7:cb:f8:13:

         b9:c9:de:da:5b:e7:88:89:69:30:d8:59:c7:70:6b:eb:87:6a:

         35:5f:84:a1:e1:17:34:3c

-----BEGIN CERTIFICATE-----

MIIFcjCCA1qgAwIBAgIUdylel8gTYLAGHemgvifnqvJgojkwDQYJKoZIhvcNAQEL

BQAwNDEMMAoGA1UEChMDSFBFMRIwEAYDVQQLEwljdXN0LTAwMDExEDAOBgNVBAMT

B21nbXQgQ0EwHhcNMTgwMTMxMTcyMDQ4WhcNMTkwMTMxMTcyMTE4WjBJMTYwEQYD

VQQLEwpjbG91ZC1tZ210MBAGA1UECxMJY3VzdC0wMDAxMA8GA1UECxMIc2Vydi1z

ZWMxDzANBgNVBAMTBnNlY21ncjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC

ggIBALJZhFVxiES82Ci2X9ZkNj4UWQxKbLjuqWC3m9UHNlualzXJ55QSWaLg7QmP

Vn2EWA0k6IXUBloGMS/wUYOyVBYRVaDDDfXaYqGNVJjDGRzNnL+Z/qlRZx/Bz/rE

SORmFpp+9xoPeQjx/wFjDWBB4GeHoh5tFZsvbYGpXIkyXNfw61KEbKhIl3TCcJ3e

Cf0fn3iW6VqbXqf48gWlg+lWd8gvEjlzie6Y8dv88QAs3dQbWGZKQGuEZuPiXmga

Dfl8j15ng/jcC5NSKptl3btfvKyx8zE06LRqUwnw1sgj1v9/l4mdAF3PtW6i5ByF

c9lk6NpWEb0WKDBKF9NeXVv5VxMPzOwMD8TyZMCJEaFt6TJHL2gEDGnpBPT+Vv2S

rAQnJbkN867S7e1Txl84gMCJqUHliL1/8IpNoF0ZRbhcgIgt9RRnZHQAtSSKiKHd

1C6uwADy9Mso7NXIDNRpcOtSx35JXqU2Wytz/Bf0UXVsHAfekmTstlfw67+4UPmH

iflaTvu3SHVmX0nGSEM0nw8oOpnC+iITmbA532Wpq7k5Obrmrb7mCvrJhLWEa/mb

VupS/SyGoOQKOh3e5gb3q2vOBYQLFWOHTLTVY2SalQJMBZnVJ6P8P9rBh97UzARe

mxFNYXtW52k8jKs9tf8xZdZG932dA9I1GJSZRzW/ObQI470XAgMBAAGjZzBlMA4G

A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUj4Ac

LFkkFOc9uA63nfDrDfH6ZkkwHwYDVR0jBBgwFoAUEBH/LzK2CkigOzp+yGKnKjVN

YsMwDQYJKoZIhvcNAQELBQADggIBAL6HjYpiFPpjYI5z6pELzczGnkPuaq8NfWmW

dyrSghUvK7s3kLpahu6RJjKDMZl8JLw9HnFyUP+tRZsNXO1jfy7a0YfT6UlSoHuM

BNSqeUCyjJEZJDepzRODg0sxoXyOHk8dy8WS4d6qOPwhZ5AJ8iTPj/hrCyjSY4Km

THqQrNMmsgWt/kxPllf1XWbqxjvlAJcJ61wMT0DJ1LhXQ4exM38eIeHrn1Ax7I1t

rYNcx9o9vwThPGVPssZI5F2rVJLQGwoUFCMyyuzqHoWzmsr859XWemzBXgW7cnTF

Kj4V2Ec4FB16mBVq/ana7Ryi2V1UDWqlp3zJTdWA//xfPEGB+Mp8YJpeG1NeyozV

1yDL6+Y1cKtVNrWvzJ6JL8cvRhnHpyEMzFd1mz02IOQPRiVEVKDFq4BSP26OV2kd

XFIMF3ijrTWoxpsn/0/GfMOI1WRFji8nK2nmflVzLdEYxeWRg3+1TF8F5dB0BWFb

K+0QV/oZ3cbhc0d4qvJv5FdNCEGKR3xR1BvzOhtlK5DDFnY/93YWv3rjrIMfv2VO

PkF/1214pEmxQ3uiilYQC8dog5veNDp2vcn/qEO/Zzq+8Tjxq2Bzz+ThAzfMVlMs

MnnrNt3ztaFdJcnHQlVD3a5+Jw/N1GBgx8v4E7nJ3tpb54iJaTDYWcdwa+uHajVf

hKHhFzQ8

-----END CERTIFICATE-----

[Chris Hoffman]

I checked the code and nothing is popping out at me for what could be causing this issue. There is only one place where that error would be returned and it is pretty early in the certificate validation process.  The vault codebase has changed pretty significantly between 0.9.0 and 0.9.3. Do you know the exact version of vault where this started happening? 

Thanks,

Chris 

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7a14b301-ce34-47cb-a578-22d6bd592ea8%40googlegroups.com.

[paul.car...@gmail.com]

I've tried 0.9.1 and 0.9.3, let me try 0.9.0

[paul.car...@gmail.com]

no joy 0.9.0 give same issue, really odd, it works fine in my test app but not with applications that use my library.

Could it be one an issue with the version of some package vault uses?