TLS auth problem "missing name in alias"
1,358 views
Skip to first unread message
Chris Coe
Aug 13, 2018, 2:25:17 PM8/13/18
to Vault
Hello there,
Ok, that didn't work, so I tried:output:
Same output...
I have been setting up a vault + consul cluster and have everything finally working right except that we want to use TLS certs to authenticate into vault from the CLI, libraries, etc.
I have followed this guide: https://www.vaultproject.io/docs/auth/cert.html
I generated my certs following this: https://www.consul.io/docs/guides/creating-certificates.html
Steps I took (generally):
- create a certificate and private key (cert.pem, key.pem) (using cfssl in guide linked above)
- enable TLS Certificates authentication (used default path of `cert`:
- $ vault auth enable cert
vault write auth/cert/certs/cli \
display_name=cli \
policies=cli \
certificate=@cli.pem \
ttl=3600- create a new policy (I named the policy cli):
- path "cert/*" {capabilities = ["create", "read", "update", "delete", "list"]}
- this is fairly permissive on purpose until I get it working, then I will reduce.
- attempt to log into policy with cert authentication - this is where the problems arise...
I have tried the following based on the guide:
$ curl -v --request POST --tlsv1.2 \
--cacert ca.pem \
--cert cli.pem \
--key cli-key.pem \
--data '{"name":"cli"}' \
https://localhost:8200/v1/auth/cert/login
output I get:
{"errors":["missing name in alias"]}
Ok, that didn't work, so I tried:
$ vault login -method=cert -ca-cert=ca.pem -client-cert=cli.pem -client-key=cli-key.pem name=cliError authenticating: Error making API request.
URL: PUT https://:8200/v1/auth/cert/loginCode: 500. Errors:
* missing name in aliasSame output...
So I searched the codebase and found this as the only place that error exists:
Which appears to be part of the logic which looks for an alias name in the response, I am providing this (as detailed in the guide) as name=cli
I am assuming that the alias would be whatever I name it when creating it and writing the policy to auth/cert/certs/cli
I looked into adding entities and aliases as detailed here: https://www.vaultproject.io/guides/identity/identity.html
I, of course needed to change it for TLS auth and not github as shown in the guide. I am not using LDAP, username/pass, or github authentication currently and have no users in the system (outside of root).
Chris Coe
Aug 13, 2018, 2:39:26 PM8/13/18
to Vault
I should clarify that even after messing with entities, I was unsuccessful and was hoping someone could help provide some insight.
Jeff Mitchell
Aug 13, 2018, 3:46:15 PM8/13/18
to Vault
Hi Chris,
Currently the alias name comes from the Common Name of the cert. My guess is that there isn't one in your certificates. (If you can paste the PEM file that will help with debugging.)
Best,
Jeff
On Mon, Aug 13, 2018 at 2:39 PM Chris Coe <chrc...@gmail.com> wrote:
I should clarify that even after messing with entities, I was unsuccessful and was hoping someone could help provide some insight.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/92336035-1418-4acf-a361-b77baa450ce6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Chris Coe
Aug 14, 2018, 7:07:26 AM8/14/18
to Vault
As it turns out, the CA has a common name attribute set, but the others do not. I did not set them because they are living on internal ephemeral servers and did not think it mattered as much. I will regenerate them and post the outcome.
Thanks for the shove in the right direction.
Chris Coe
Aug 14, 2018, 8:21:34 AM8/14/18
to Vault
That was it, thank you Jeff - you spared me another hour tracing the vault codebase to figure out where the alias name was populated from!
Jeff Mitchell
Aug 14, 2018, 8:27:32 AM8/14/18
to Vault
No problem!
Arguably the common name isn't the best value to use for the alias name but it's not clear what else to use. It might become toggleable at some point.
Best,
Jeff
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/742a324d-4435-4bf4-b615-55fb4e47bf21%40googlegroups.com.
Tomoya Usami
Feb 26, 2019, 2:00:11 AM2/26/19
to Vault
I'm facing the same problem as this case.
I guess CN is not a required field in X.509, so I think it's a problem that an error is occurred if it doesn't exist.
I guess CN is not a required field in X.509, so I think it's a problem that an error is occurred if it doesn't exist.
For instance, I'm using https://github.com/spiffe/spiffe, it doesn't provide CN field in X.509 certificates.
2018年8月14日火曜日 21時27分32秒 UTC+9 Jeff Mitchell:
Louen Pilet
May 29, 2019, 3:17:19 AM5/29/19
to Vault
Hello,
I'm triyng to using Vault with a certificate who doesn't have a common name field (the name is defined by an UID). Is it possible to bypass the "missing name in alias" error ?
Or do you have an other solution for use TLS certificate authentication with this certificate ?
Best,
Louen Pilet
I'm triyng to using Vault with a certificate who doesn't have a common name field (the name is defined by an UID). Is it possible to bypass the "missing name in alias" error ?
Or do you have an other solution for use TLS certificate authentication with this certificate ?
Best,
Louen Pilet
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages