Vault TLS Authentication with PKI Generated Engine issue

[Michael Sweikata]

Hey everyone;

So, I've gotten pretty far along in my own local vault deployment, absolutely loving it. I'm trying to do as much as I can with the API versus local commands, which is reflected as such.

In my next step, I've opted to set Vault as the PKI provider for my setup. Below is my step-by-step creation process, in the event I have done something wrong:

($ROOT being the root token established after the Vault is initialized and unsealed, and I've sanitized the hostname to my.example.domain etc.)

1) Enable the engine

#enable the PKI engine

curl -s POST -k --header "X-Vault-Token: $ROOT" --data @pki.json https://127.0.0.1:8200/v1/sys/mounts/pki

#list to confirm it's there and works

curl -k -s --header "X-Vault-Token: $ROOT" https://127.0.0.1:8200/v1/sys/mounts

{

   "type":"pki",

   "description":"Default Certificate Secrets Path",

   "config":{

       "default_lease_ttl":"3650h",

       "max_lease_ttl":"3650h"

   }

}

2) Generate the Root CA

curl -s POST -k --header "X-Vault-Token: $ROOT" --data @root.json https://127.0.0.1:8200/v1/pki/root/generate/internal

{

   "common_name":"my.example.domain",

   "ttl":"3650d",

   "permitted_dns_domains": "example.domain"

}

3) Update the CRL and issuing certs

#set the URLs

curl -s POST -k --header "X-Vault-Token: $ROOT" --data @crl.json https://127.0.0.1:8200/v1/pki/config/urls

#read the URLs

curl -k -s --header "X-Vault-Token: $ROOT" https://127.0.0.1:8200/v1/pki/config/urls

{

   "issuing_certificates":"https://my.example.domain:8200/v1/pki/ca",

   "crl_distribution_points":"https://my.example.domain:8200/v1/pki/crl"

}

4) Create the role that maps a name in Vault to a procedure for generating a certificate

#set the role

curl -s POST -k --header "X-Vault-Token: $ROOT" --data @certrole.json https://127.0.0.1:8200/v1/pki/roles/certgen

#read the set role

curl -k -s --header "X-Vault-Token: $ROOT" https://127.0.0.1:8200/v1/pki/roles/certgen

#list the roles

curl -k -s --header "X-Vault-Token: $ROOT" --request LIST https://127.0.0.1:8200/v1/pki/roles

{

   "allowed_domains": "example.domain",

   "allow_subdomains": true,

   "allow_localhost": true,

   "key_type": "rsa",

   "key_bits": 4096,

   "organization": "Example Infrastructure",

   "country": "United States",

   "locality": "Time",

   "province": "Place"

 }

5) Generate a new certificate credential

#Note, the private key is not stored per setup and must be saved upon issuing

curl -s POST -k --header "X-Vault-Token: $ROOT" --data @maverick.json https://my.example.domain:8200/v1/pki/issue/certgen

{

   "name":"certgen",

   "common_name":"server.example.domain",

   "ttl":"5h"

}

Which gives me my certificate:

"request_id": "4cab8531-b934-1e0b-1115-2d6c61ca7958",

  "lease_id": "",

  "renewable": false,

  "lease_duration": 0,

  "data": {

    "certificate": "-----BEGIN CERTIFICATE-----\nMIIFTzCCBDegAwIBAgIUdqMSUPhIJ2XyseIsKSNODc02Nz8wDQYJKoZIhvcNAQEL\nBQAwHjEcMBoGA1UEAxMTZ29vc2UuZmFuYXRpY3MuY29ycDAeFw0xOTA0MTUxOTUz\nMTJaFw0xOTA0MTYwMDUzNDFaMIGEMRYwFAYDVQQGEw1Vbml0ZWQgU3RhdGVzMRUw\nEwYDVQQIEwxKYWNrc29udmlsbGUxEDAOBgNVBAcTB0Zsb3JpZGExIDAeBgNVBAoT\nF0ZhbmF0aWNzIEluZnJhc3RydWN0dXJlMR8wHQYDVQQDExZtYXZlcmljay5mYW5h\ndGljcy5jb3JwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArsEEeykB\nSKF6WuCIddN5uflgB8tb3tibFxQ++i6NZ2/8adpWDwk2DJP9oexluJu/XfAK/rST\n6QlZH1iFALlVsZVAwatEX6uA9yrn+q5efLYrMOGrPIKOtOYesB9meFDIVy/pJCb1\nuJFkscDhPoS3XFmW98psarXx4m0Nffsk0+XD5eYlOUQI3BufwZLDBihkJmVac6c4\nNtK4AUjVVvBuhHjQGmdqtTG3xETjhR8KfMhMD6SG7sxQ/bSrTL2uMtYcto3TBgQU\nZnOmrmnAIjZHpOjx0L2soEzQTOYmjNXywssBExli2NgHQYUuB1X8gQmKvJeQmGrb\nCUoZevfjwmLPgj0k3aiSWPaRpQfrycMYVfYRsj919qvKXJvCM7+c7/kuHeYtRSDd\n281Sk4lDvQdsXQTCirpUkPwOiEd5HVTeSGbOY5c6bsZIbbh2PHJWBLB3JEIKgUGo\nlpWkdQXKHj10lRau5tZUPqEhNdvotD/JMczc6GAp1gYLaphJOgsnIWX95UCnRHlT\nvKNPXNaQ8RHuJD9I1bFI/Du7NMx3KpidOksXK8AOZutBZWDOxzQmdoMT9jm5oQCE\ntaZmDJFPYl5bitwe0WiO9PtQeFMWMBEmZLiIpEbQM2RfLpbYjHTrMe71Vux4OQKB\nWMGfUb5ZEMzR31hGRf7YaIjFBFAtDl4L7uUCAwEAAaOCARwwggEYMA4GA1UdDwEB\n/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYE\nFC3DR7UUPXIBrxZEQJwu38aS2KsoMB8GA1UdIwQYMBaAFNlEJo7bcDWFrn70Mg92\ny73I6H1ZMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAoYqaHR0cHM6Ly9nb29z\nZS5mYW5hdGljcy5jb3JwOjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCFm1hdmVy\naWNrLmZhbmF0aWNzLmNvcnAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cHM6Ly9nb29z\nZS5mYW5hdGljcy5jb3JwOjgyMDAvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOC\nAQEALTsCwa31GOkq7lETl9EZok5NzHKX3M2yckO7tL2M/x/WJfj7BY3G2b/678DH\nX/LGt0/GWm0sG7LDxfu24DB6mOBCSNPIvSbwyemiz84YiDHf4IpMrpkpWMRwQ01L\nrnS56Jr0wZ2rO/Ksa9rGLOVqIc/j8p/yF90IfumWcOisA04SFXAP58PXPS44dVcx\nZEhmIZDL82rNYzhnWCtnhu9/SOPzhJp6icEYxbNFvcEQn3pobS3Bza7u21Q3zkSk\ny6NBeX1rqRO5yLNKwYpYPww5ftea8oAadsq4e+TCGSDAE7YC5vfzFVH7OqxvVlBM\nF2iM2kIhMZT0H/IWb+4tXOj8cg==\n-----END CERTIFICATE-----",

    "expiration": 1555376021,

    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDTzCCAjegAwIBAgIUdQWyJWLiojATrO0DogJ7QiYtwBAwDQYJKoZIhvcNAQEL\nBQAwHjEcMBoGA1UEAxMTZ29vc2UuZmFuYXRpY3MuY29ycDAeFw0xOTA0MTUxOTI2\nMDBaFw0xOTA5MTQyMTI2MzBaMB4xHDAaBgNVBAMTE2dvb3NlLmZhbmF0aWNzLmNv\ncnAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkWL7bGyluaDYMyYA9\nHYum0jh0nnX++utYPGMHyAIwIaIlZzm+UebIRshVZXc3VypRzsFbmqJrIC34yKod\niqAaxiiBN8niURLDBO0FivI6R4Wwr4XfWG/ChspCdMSWkd5gaWvEsefROmXM738Z\n17IKDV8JRm4ZlCuEWRmgekCtWvZzE3u//V3QVTCjdSM/QHlkstgvQjVYzzYvGQN+\nI7QdvQcTz0tzIFcARs5ZYK5GBfrkwy9rG4K6ftU2q5cggw+ZqgwNpopVv9/pa/Y/\nltlOhoNqPnRu+aEXIOheh3wPzbnoKCTjC6WS9Cbg7fV/7p5TUmib2t+NWcL6QfAk\nR723AgMBAAGjgYQwgYEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w\nHQYDVR0OBBYEFNlEJo7bcDWFrn70Mg92y73I6H1ZMB8GA1UdIwQYMBaAFNlEJo7b\ncDWFrn70Mg92y73I6H1ZMB4GA1UdEQQXMBWCE2dvb3NlLmZhbmF0aWNzLmNvcnAw\nDQYJKoZIhvcNAQELBQADggEBAEbyv1Q+myeMqD2WNeH+X+043eiBUpqr6/ttk8tA\nXzNZAaJPv9a2HcFKT0zQ64fRoHnE9njO6zD5oay7UAjO1YcwQ6mcbcJFl4b8qcNI\nDOZ2DKXwQ0ctW/CB5z/97uyU9KdkeVMSChfcBjPwz72R3vV2uouiTPIHtMVVAM5Y\nFM9rmFsft9eQYvHxQ0A7efms/ziqcoo/1htIxbKWwcMBlmsrK2SJ9t6UYNU7Hntu\nh/tKcUpA1npL+VrWnTCoQk5Qgo8xBOh0K51lFB/ohaIj81qEA+uZoIuy02YiYYu4\nEYodxl9YS6OWtXwG9pYfWAyhuwTve9GQhYzjN85nWRgmUMc=\n-----END CERTIFICATE-----",

    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEArsEEeykBSKF6WuCIddN5uflgB8tb3tibFxQ++i6NZ2/8adpW\nDwk2DJP9oexluJu/XfAK/rST6QlZH1iFALlVsZVAwatEX6uA9yrn+q5efLYrMOGr\nPIKOtOYesB9meFDIVy/pJCb1uJFkscDhPoS3XFmW98psarXx4m0Nffsk0+XD5eYl\nOUQI3BufwZLDBihkJmVac6c4NtK4AUjVVvBuhHjQGmdqtTG3xETjhR8KfMhMD6SG\n7sxQ/bSrTL2uMtYcto3TBgQUZnOmrmnAIjZHpOjx0L2soEzQTOYmjNXywssBExli\n2NgHQYUuB1X8gQmKvJeQmGrbCUoZevfjwmLPgj0k3aiSWPaRpQfrycMYVfYRsj91\n9qvKXJvCM7+c7/kuHeYtRSDd281Sk4lDvQdsXQTCirpUkPwOiEd5HVTeSGbOY5c6\nbsZIbbh2PHJWBLB3JEIKgUGolpWkdQXKHj10lRau5tZUPqEhNdvotD/JMczc6GAp\n1gYLaphJOgsnIWX95UCnRHlTvKNPXNaQ8RHuJD9I1bFI/Du7NMx3KpidOksXK8AO\nZutBZWDOxzQmdoMT9jm5oQCEtaZmDJFPYl5bitwe0WiO9PtQeFMWMBEmZLiIpEbQ\nM2RfLpbYjHTrMe71Vux4OQKBWMGfUb5ZEMzR31hGRf7YaIjFBFAtDl4L7uUCAwEA\nAQKCAgB2lvGtioQef8aCiUDRhLNka0CpyW0M6z1ECi86pAC9oxdN1ib0iTGuk3dZ\nPQ1CnB7fZphvhKejSv658N5BQYRPwJNzWgBKVB5unSVTzqS8SPtCbsI/i/G//THy\nHzzwhRGPaSnzqKSznacRoWy5emLcPsfeW/X67IG7QHoZdiblzVSFXQsBs5O3mt9t\nA2VpdluQWtNpDJ9vRMwtwvlTyFGXgEzovimB0L1+aalkm04Io/xJ2ULgJrMHmGVu\n7IGcagSONexwdrBJXk5MqeMC1IcF+DaxiyXsmnP4225pwH6/hfeyuFWGBgPWiMRV\nohp6jrkhhlFPvaPqx+hGtJZRQbDC961ZgPj/2aiiSE/WWuOWq7whlwZ7WZERwnwT\n2CLWi/vitbO4J6WtH0Bil1Qm/HhrCtxEgedY4jCECugIYk7eKctwXZizFePY9fnU\nJOB+DCHL8LKxV6S/8qbeT77W5tDMfb2brgGDsvYWflwIINairxf5aHZoGQXspISN\ni7iONDK70H+uLlDOF2E9Dyoe0O7v5TNjwmDtqyH7Z8Qjt5RtB0CwQaHNa1O753ut\nSKJn2psKaBNEHkKDopv6tyjfDAeMtvnP0Y1STaM0XKL8q7lNI3TjKeC+hmYQOY7l\nB0Ygwp5HH9z6OQfUt9wfhBPqoTL7asy97UGZWN79Nmu4+lMgAQKCAQEA34Ct+nL2\nOqUSCgC6gtVmwc/vsu2N0ycg8TjkNXz25Z0gUKLmP0GKfZVrhKAsrbV2cdU86CLp\n8BBqfovO9cuSOrn0iys4LlXn02RUu6Y0WEgmmHKQqqAIW1OtWQpJRjauce5REbPV\nZdXFO5afvdRcjz22zsHJyXrYpOH303taufxsyhxMfLX8FTjkayp9nYIksTjx/mUy\nNKpcA8hjO7GuOiK1/qwm+B3zgs6Nq2JQECCgbuWHkLBGj3MUKEVzaxES3qTPFHt6\neU1+dZ890Che0m1W1XE+YTgn1oVJeoWOn7/ZqBru/l1iIdq2A+tP2DRxVqtjNMiz\nTIhFeMYivFeq5QKCAQEAyCnKrjY4r+zrfkqqbujpD3hmxBFnf7+Xg6MYsYoLNCHe\nkn+wIKc3I3oNQOnMgqfhP3R2aaDPqkGcpIk4zoo38nCW0+tKcu4HP58adLqYeLIA\nPQdJdp03gj1vBrYxPT0TeDLt0RN6iCzjqqH2IhDPiy091m9+OTzO5/b3hheug8DR\nMW/pKK4HPWDrDqB/EI2/aEhdDT8JJkE39ToDFEDckuteOOqG4d/zzM3I5UrvFJEy\ntS/rs3YRX2j22X5nEKHmkx9eKoKM7A3+TFrzx+rH7G1BXKwZVrSly+Z0gNTeuGcb\n6AX3rgoS1MQYBp7lVvGyT210OYnCI0+l9ILpEGr0AQKCAQEAmXRbf7rRDsDpms6X\nQF9PF0EynZJ3LwQNnTHnlkX/qvVwC41dMw9IDCO8V6o2IuqVsWCsWeIm5voOdGZ/\nqcmk1Ad7PNZm04GOE1kuyEw8YmTfgwoeA9ivBC12tszWNIw0x+rN5K6plSrqKZio\ngwi8qGjCDEGHz3s2Jjc0FhL63vnOpBI7/eBhfRy70EyzRKLnmHq1xGosx3Y0iTBb\n2c+MBURx2rLOasr9t9Ej+gkdWYVdQeb8Zj5xo+pqa6ALt/ZYE1/rAnApTgIEErRM\nF5CwUiBaX2BKaSvKRoLrSWFL5KkvwzkC4MizKPVmxVgaUSLoso4oJkSqvqBNuren\nf9NddQKCAQATrA/QaWHO4IEQi3QOrHNjYtjuwisi4giZFmlx4XhSalW+njAINYb0\nxKUS0SeZW7iGjQKqRPTD7ejgPuBHZEw1Vp1sPH63pu8tcIygFkqv6gad+N5eevse\noL0NstBKDXuhX5gB6WEsiwThG0Peezp6mjqunYyRQYmwQJR5KFCtgEDPFAmdRuVN\nQf44FMwIK3Y5YItMpvpWOSivwEDXN7y178312A7jmigS49Kvvlqa8d5C8m++1obE\nksNYAtVMTC0mHnoZwXTqKkHo7TNyXX/Cm8ZFvmBLJjv5OzAODV3KT8/tUNDT2Qea\nw57835b4oY59wesfUIu0/rn3uvn+9BQBAoIBAQC53ofzFE0rSsAruxt+mSoKWC4G\nMP/8uFaky8lhJn90Z39ejwwK03Xilq/16uxBFLeWHmUqBY6QlAPbOFxWZd04z5mL\nO+RXvDY7QCirPFekGDE655flB37cfag24lnRUu+nl/UtSWdhNO/uV2Y1eGJPv/Dz\n+2OdNQXrVH9G2rpJ9aH8jD1yakYz2E0wE7OnQNAGz63pu5fy80GckMDu8IWbNluS\nWJUvtb2sRU65Z1K0659a6vLjeK7U1bBASh0e4OSAS8OkVzJ1bMuQK01u3pOo3jZs\ndXpjY/RCZAO8om18x3mhHoPkB/OVyhwtNZWC+maUMpl+jMwpj7mV+DEgQ4WW\n-----END RSA PRIVATE KEY-----",

    "private_key_type": "rsa",

    "serial_number": "76:a3:12:50:f8:48:27:65:f2:b1:e2:2c:29:23:4e:0d:cd:36:37:3f"

  },

  "wrap_info": null,

  "warnings": null,

  "auth": null

I have the certificate, the private key, and the CA. 

Let's take that data and put it to a role:

curl -s POST -k --header "X-Vault-Token: $ROOT" --data @network-role.json https://my.example.domain:8200/v1/auth/cert/certs/network-role

#read the role:

curl -s -k --header "X-Vault-Token: $ROOT" https://my.example.domain:8200/v1/auth/cert/certs/network-role

I take each portion of the cert and write it to it's respective file, ca.pem, network.key, and network.pem (retaining the single line nature encapsulated in the " and without)

But when I try to log in:

curl -k -s --cacert ./ca.pem --cert ./network.pem --key ./network.key --request POST --data '{"name":"network"}' https://my.example.domain:8200/v1/auth/cert/login 

I get back nothing in the CURL, but from the informational log of the shell:

2019-04-15T17:09:16.349-0400 [INFO]  http: TLS handshake error from 127.0.0.1:54556: EOF

If I try it as a vault cli command:

vault login -method=cert -client-cert=network.pem -client-key=network.key

Error authenticating: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/auth/cert/login

Code: 400. Errors:

* client certificate must be supplied

C02RN1PMFVH6:~ msweikata$ 

So I feel like I've missed something very simple. I've tried leaving the certificate data in a single line encapsulated by a quote ("----begin etc. etc.) and without. Anyone have any tips? 

[Michael Sweikata]

Oh, and to clarify, the code blobs underneath are the respective data sets in each CURL POST

[Vasilev Vjacheslav]

Hi,

There was new CLI switch introduced, it may help you out to troubleshoot your process - "-output-curl-string"

[Michael Sweikata]

That is a neat switch. Sadly, it didn't help, because it output pretty much the same thing, though it didn't output the -client-cert/key/ca flags, so, makes me wonder if there's a problem with the CLI login accepting self-signed certs? Or something similar?