Vault TLS handshake error

1,781 views
Skip to first unread message

Kevin Liquori

unread,
Jan 18, 2018, 9:39:47 AM1/18/18
to Vault
All,

I'm seeing an error in vault.log after adding a wildcard cert to my vault configuration. Previously I was using a self-signed certificate which contained the IP address of the server and I did not see this. The wildcard cert only contains the domain and not the IP address or hostname of the server.

The error is:
http: TLS handshake error from x.x.x.x:x: remote error: tls: bad certificate

I see this entry once per minute. I'm using consul as the backend and I can see that the vault service is reporting healthy in the consul.  I do not have any external checks that run once per minute nor have I created a consul health check for vault so I suspect this comes from an automatic vault/consul health check.

I haven't been able to find any documentation on such a check. I was curious to see if I could possibly modify the check to use https instead of http if that's the issue or possibly skip the tls verification.

My vault config:

backend "consul" {
  address = "127.0.0.1:8500"
  path = "vault"
}


listener "tcp" {
 address = "x.x.x.x:8200"
 tls_cert_file = "/etc/vault/ssl/some_domain.crt",
 tls_key_file = "/etc/vault/ssl/some_domain.key"
}

It appears that everything is working. Is this just something I have to live with since the cert does not contain the IP? 

Thanks,
Kevin

Jeff Mitchell

unread,
Jan 18, 2018, 12:37:31 PM1/18/18
to Vault
Hi Kevin,

You can disable registration of the service by setting "disable_registration" to "true", but alternately you can set "api_addr" at the top level (not in the consul block) to the value you want registered, e.g. "https://my.server.com:8200". (In previous versions of Vault this was "redirect_add" in the consul block).

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/310cf2e3-fc32-4cd5-94a6-1cd049a252e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Kevin Liquori

unread,
Jan 23, 2018, 11:03:38 AM1/23/18
to Vault
Hey, Jeff,
I tried adding redirect_add (I'm on version 0.8.3) as well as setting disable_registration. Additionally, I replaced the listener IP address with a FQDN in the same domain as the wildcard certificate. But none of these solutions worked. I'm still seeing the errors in the log. So the test/check may not be coming from Consul.

Thanks,
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

Jeff Mitchell

unread,
Jan 23, 2018, 11:08:16 AM1/23/18
to Vault
Hi Kevin,

Thinking about it some more, I don't _think_ that Consul uses http for the built-in health checks but rather that it goes via the API client.

Is the IP address in the error you're getting not 127.0.0.1? If not can you figure out which box it's coming from?

Best,
Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b92c6155-eb0a-49a3-98ff-9585cfa2b260%40googlegroups.com.

Kevin Liquori

unread,
Jan 23, 2018, 11:19:19 AM1/23/18
to Vault
Hi Jeff,
Correct, it is not 127.0.0.1, but it is the IP address of the vault server itself. So the check is coming from itself.

Thanks,
Kevin
Reply all
Reply to author
Forward
0 new messages