Root CA set for validating server certificate

[Leon Boot]

Recently I've secured my Vault server with a Sectigo SSL certificate. Unfortunately, when communicating with the server using the Vault CLI (VAULT_ADDR=https://my-server/), I'm getting an error: "x509: certificate signed by unknown authority". Unfortunately Sectigo (formerly Comodo) uses a new root certificate. On older systems we've run into this issue as well, since that new root certificate wasn't present in the set of certificates used to validate SSL certificates. It seems it's not present in the set Vault uses either.

Does Vault have its own set of root certificates baked in? I can't seem to figure out which set is used by Vault for certificate validation. I know I can provide my own root CA by setting the VAULT_CACERT environment variable, but I'm just curious what set Vault uses for certificate validation. It doesn't seem to be the OS's (Open)SSL software's set.

[Michel Vocks]

Hi Leon!

Vault's CLI uses the Go's x509 crypto library which, by default, looks up the OS system default root certificates. See: https://golang.org/src/crypto/x509/root_unix.go

On older systems we've run into this issue as well, since that new root certificate wasn't present in the set of certificates used to validate SSL certificates.

It's important to know that the validation happens on the client-side. You probably have to upgrade the client-machines OS root certificates to avoid this error.

Cheers,

Michel