How to run vault server over https

[abhishek raghav]

How to make sure that the vault server listen over HTTPS and all the traffic is secured, do i need to enable pki backend to generate the certs and then configure vault to make use of those certs.

[Joel Thompson]

Hi Abhishek,

Vault will serve only over HTTPS unless you configure tls_disable in the server's listener configuration. Take a look at https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable

That configuration is also where you specify private keys and certs, similar to any other web server. Vault's usage of a TLS cert when serving HTTPS is completely independent of its ability to act as a CA via the pki secret backend.

Hope this helps,

--Joel

On Mon, Aug 28, 2017 at 4:19 PM abhishek raghav <abhi.ra...@gmail.com> wrote:

How to make sure that the vault server listen over HTTPS and all the traffic is secured, do i need to enable pki backend to generate the certs and then configure vault to make use of those certs.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f3e8b0fe-44dd-4013-8f10-ea851c4f07f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[abhishek raghav]

Thanks Joel. It worked but the only issue i am facing is regarding not able to initialize the vault "Error initializing Vault: Put https://127.0.0.1:8200/v1/sys/init: x509: certificate signed by unknown authority", I guess my machine does not trust the certificate i am passing in to the vault. i am on windows, so not sure how to allow my windows machine to trust that (easy in linux though as per this article here: https://dunne.io/vault-and-self-signed-ssl-certificates) . 

[Joel Thompson]

Hi Abhishek,

One option is to specify the trusted CA in environment variables (see the VAULT_CACERT and VAULT_CAPATH options at https://www.vaultproject.io/docs/commands/environment.html), or using the corresponding -ca-cert or -ca-path CLI flags.

Another is to just turn off TLS cert verification entirely -- generally a really bad idea unless you're connecting to localhost or in an insecure dev environment! -- by using the VAULT_SKIP_VERIFY environment variable or -tls-skip-verify CLI flag.

In this case, since you're connecting to 127.0.0.1, the certificate won't verify unless it has the 127.0.0.1 IP address as a SAN, and so you should probably actually just use the -tls-skip-verify flag (but, again, ONLY when connecting to 127.0.0.1).

With regards to Windows, I haven't tested this specifically, but my go to when dealing with Windows TLS cert verification is to import the CA cert into the Windows certificate store as a trusted cert.

--Joel

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7d31e697-122f-4790-b347-8cfe4813605e%40googlegroups.com.