All,
I'm seeing an error in vault.log after adding a wildcard cert to my vault configuration. Previously I was using a self-signed certificate which contained the IP address of the server and I did not see this. The wildcard cert only contains the domain and not the IP address or hostname of the server.
The error is:
http: TLS handshake error from x.x.x.x:x: remote error: tls: bad certificate
I see this entry once per minute. I'm using consul as the backend and I can see that the vault service is reporting healthy in the consul. I do not have any external checks that run once per minute nor have I created a consul health check for vault so I suspect this comes from an automatic vault/consul health check.
I haven't been able to find any documentation on such a check. I was curious to see if I could possibly modify the check to use https instead of http if that's the issue or possibly skip the tls verification.
My vault config:
backend "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
listener "tcp" {
address = "x.x.x.x:8200"
tls_cert_file = "/etc/vault/ssl/some_domain.crt",
tls_key_file = "/etc/vault/ssl/some_domain.key"
}
It appears that everything is working. Is this just something I have to live with since the cert does not contain the IP?
Thanks,
Kevin