Authenticating using TLS Backend

[aar....@gmail.com]

I have the following vault configuration:

backend "inmem" {

  address = "127.0.0.1:8500"

  path = "vault"

}

listener "tcp" {

address = "127.0.0.1:9000"

tls_disable = 1

}

listener "tcp" {

 address = "127.0.0.1:8200"

 tls_disable = 0

 tls_cert_file = "C:/path/to/server.pem"

 tls_key_file = "C:/path/to/serverkey.pkcs8"

}

And I am trying to execute a POST request on : /v1/auth/cert/login  without any added parameters or body, to try to login and obtain the client token

However I am getting: 

400 Bad Request {"errors":["missing client token"]}

Did I misunderstand the point of this backend?  As I understood it, you execute a post request on this url, it authenticates you using the certificates, and returns the client token which you should use from that point onwards.

[aar....@gmail.com]

This maybe as I did not setup the auth backend 

I am trying to set it up using:

vault write auth/cert/certs/default display_name=default policies=default certificate=@C:\path\to\client.cer ttl=3600

but i am getting::

Code: 404. Errors:  no handler for route 'auth/cert/certs/default//'

Any Idea please?

[aar....@gmail.com]

Turns out i hadn't run 

vault auth-enable cert

now however I get :

Code: 400. Errors:   failed to parse certificate

[Jeff Mitchell]

Hi there,

Probably the certificate is not in PEM format (PEM is less common on
Windows). Can you check that it's properly formatted as a PEM
certificate?

Thanks,
Jeff

[vishal nayak]

Hi Axisa,

You are right in understanding that the "Cert" authentication backend responds with a token.

It returns a Vault token only if the backend is able to authenticate the client through the certificates it presents.

Before login, the backend needs to be enabled (as you already noticed) and the CA cert should be registered at the backend.

This CA cert should be the one from which the cert/key pairs used by the clients are issued.

I noticed "C:\path\to\client.cer" and thought it better be a CA cert. So :-)

Also, as Jeff mentioned, the cert you register with the backend should be PEM formatted.

Hope this helps!

Regards,

Vishal

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GFe9HjdjnYeDOQvoyrNsthpKa%2BKybrt1kAtvFBkLRF%2BJw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

vn

[aar....@gmail.com]

That solved it! thanks :)

On Wednesday, May 11, 2016 at 12:41:16 AM UTC+2, Vishal Nayak wrote:

Hi Axisa,

You are right in understanding that the "Cert" authentication backend responds with a token.

It returns a Vault token only if the backend is able to authenticate the client through the certificates it presents.

Before login, the backend needs to be enabled (as you already noticed) and the CA cert should be registered at the backend.

This CA cert should be the one from which the cert/key pairs used by the clients are issued.

I noticed "C:\path\to\client.cer" and thought it better be a CA cert. So :-)

Also, as Jeff mentioned, the cert you register with the backend should be PEM formatted.

Hope this helps!

Regards,

Vishal

--

vn