HTTP/1.x transport connection broken: malformed HTTP response

[Nikolai Orenstrakh]

Hi , 
i have a question regarding the consul secrets engine in vault

I just followed this guide  , however I can't generate the access tokens as described here

vault  read consul/creds/developers

Error reading consul/creds/developers: Error making API request.


URL: GET https://127.0.0.1:8200/v1/consul/creds/developers
Code: 400. Errors:


* Put http://127.0.0.1:8080/v1/acl/create: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

I have acl's and ssl enabled on both vault and consul

seems like vault tries to use http instead of https when it tries to generate the tokens `http://127.0.0.1:8080/v1/acl/create`

I've tried tried to set environment variables :

env | egrep -i 'consul|vault'

CONSUL_HTTP_SSL_VERIFY=true
VAULT_ADDR=https://127.0.0.1:8200
USER=vault
CONSUL_HTTP_SSL=true
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/vault/bin
PWD=/home/vault
HOME=/home/vault
VAULT_CACERT=/etc/vault.d/tls/ca.cert

- not sure , maybe it is a bug , just wanted to ask here before opening Github issue, 

- but still get the same results, any help would be highly appreciated

Thanks

[Lowe Schmidt]

What does vault read consul/config/access give you?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/27cef69c-3668-45ee-893b-2295cf13445e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nikolai Orenstrakh]

[vault@uat-shd-configuration-vault-0 ~]$ vault read consul/config/access

Key        Value

---        -----

address    127.0.0.1:8080

scheme     http

[Nikolai Orenstrakh]

Seems like it has http configuration, but according to step 3 in the guide I should configure it as 

$ vault write consul/config/access \
    address=127.0.0.1:8500 \
    token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4

should I change it to ?

$ vault write consul/config/access \
    address=https://127.0.0.1:8080 \
    token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4

On Friday, September 7, 2018 at 6:20:44 PM UTC-4, Nikolai Orenstrakh wrote:

[Nikolai Orenstrakh]

I was able to configure the scheme with 

vault write consul/config/access address=127.0.0.1:8080 scheme=https

however now it fails because I have self-signed certificates 

vault  read consul/creds/developers

Error reading consul/creds/developers: Error making API request.

URL: GET https://127.0.0.1:8200/v1/consul/creds/developers

Code: 400. Errors:

* Put https://127.0.0.1:8080/v1/acl/create: x509: certificate signed by unknown authority

I assume I can configure the cacert/client-key/client-cert the same way as the scheme=https,

just not sure what are the command line options for this , any suggestion , documentation doesn't mention any of these :(

On Friday, September 7, 2018 at 6:20:44 PM UTC-4, Nikolai Orenstrakh wrote:

[Jeff Mitchell]

Hi Nikolai,

If you need the Consul client to act in specific ways, I suggest
taking a look at the env vars for the client, such as
https://www.consul.io/docs/agent/options.html#ca_file -- since Vault
uses a standard Consul client it should respect these.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3357a44b-6a1d-4bc9-95f2-88afb2f130c8%40googlegroups.com.

[Nikolai Orenstrakh]

Hi Jeff, thanks for your help, 

however the section of documentation is not referencing environment variables, it is for config files, 

my consul config already points to all the TLS files, 

As  I understand environment variable are only affecting the CLI commands, but vault will not use CLI

Any clue why consul client doesn't use the predefined certs in consul config?

{

 "addresses": {"https": "0.0.0.0"},

 "ports": {"https": 8080},

 "datacenter": "dc1",

 "data_dir": "/etc/consul.d/data",

 "encrypt": "i...",

 "log_level": "INFO",

 "enable_script_checks": true,

 "enable_syslog": true,

 "enable_debug": true,

 "node_name": "uat-..",

 "verify_server_hostname": true,

 "server": false,

 "server_name": "server.dc1.consul",

 "rejoin_after_leave": true,

 "retry_join": ["provider=gce project_name=infr...."],

 "key_file": "/dat...",

 "disable_remote_exec": true,

 
"ca_file": "/etc/consul.d/ssl/ca.cert",

 "cert_file": "/etc/consul.d/ssl/consul.cert",

 "key_file": "/etc/consul.d/ssl/consul.key",

 "verify_outgoing": true,

 "verify_incoming": true ,

 "acl_datacenter": "dc1",

 "acl_down_policy": "extend-cache",

 "acl_agent_token": "cb7e2..."

 }

On Friday, September 7, 2018 at 6:20:44 PM UTC-4, Nikolai Orenstrakh wrote: