Does Vault (CLI) need intermediate CA certs installed locally for TLS cert verification to work?

[Alex Ku]

Dear Vault friends, et al.,

== Question ==

In general, for a given SSL cert whose cert chain is rather typical (one or more intermediate issues before arriving at some recognized global root of some CA), do hosts running Vault CLI need to have intermediate CA's certs installed locally for it to work with VAULT_SKIP_VERIFY=0?

== Background ==

With my test setting (described below), which is what I think a typical scenario, I'm seeing an issue where vault operations through the CLI would complain about "X509: certificate signed by unknown authority":

1. Vault deployment - a load balancer in front of a few Vault instances, where the LB serves as a pass through and that SSL terminates at the Vault instances)

2. SSL Cert - same wildcard cert has been installed across my Vault instances

3. Local machine where Vault CLI was run - VAULT_SKIP_VERIFY=0 set on my local machine, the CA of intermediate cert and root cert is the same CA (and a recognized one), and only the root CA's cert was already installed

I'm puzzled by this, because once I install the intermediate CA cert locally (in addition to the Root CA cert that was previously installed) I was finally able to hit up Vault through Vault CLI with VAULT_SKIP_VERIFY set to 0, even though I wouldn't expert the intermediate CA certs to be required locally on my machine in this case.

Thanks,

Alex

[Michael Fischer]

The clients don't need the intermediate certificates in their trust databases, only the root certificate -- but if the intermediate certificates are missing, you need to ensure that the full chain (ordered from leaf to root) is in the certificate file you've specified in the Vault configuration.

You can tell if it's working via "openssl s_client -showcerts -connect host:8200".

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d89197b0-42cc-44f9-b4d5-c24a00e24e86%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.