Failed to parse Certificate error trying to configure Certificate authentication
2,193 views
Skip to first unread message
Claude Chausse-ccr
Aug 22, 2018, 5:10:19 PM8/22/18
to Vault
I am trying to setup my environment to perform Certificate authentication with Vault for all my build-servers
The file some-server.crt.pem contains a valid certificate that I can validate using the following command
First I have created a pki backend to take care of my certificates.
For every server I create a certificate using the following command.
vault write pki-auth/issue/build-server common-name="some-server.mydomain.com" dns_sans="some-server.mydomain.com" ttl=8760h format=pem
> "build-server" is a role I have created on the backend.
After I write all the certificates string in 3 files (ca, key, crt) (Still looking for a way to automate that but that is not the issue here)
Then from the generated certificates (now in the files) I try to add it to the auth backend using the following command
vault write auth/cert/certs/some-name -certificate=@some-server.crt.pem policies="dev-read,prod-read" ttl=360h
and every time I get the following error
and every time I get the following error
---------------
Error writing data to auth/cert/certs/test-server: Error making API request.
Code: 400. Errors:
* failed to parse certificate
---------------
openssl x509 -in some-server.crt.pem -text -noout
What could be wrong ?
Claude Chausse-ccr
Aug 23, 2018, 2:59:19 PM8/23/18
to Vault
Anyone have any idea ?
Is this a known issue of am I alone with this problem ?
Is this a known issue of am I alone with this problem ?
Jeff Mitchell
Aug 23, 2018, 4:44:15 PM8/23/18
to Vault
HI Claude,
Can you paste the contents of some-server.crt.pem?
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/35684817-150a-452e-a267-b5a2344b120b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claude Chausse-ccr
Aug 23, 2018, 4:55:56 PM8/23/18
to Vault
Sure
Here is one
Here is one
-----BEGIN CERTIFICATE-----
MIIE4jCCAsqgAwIBAgIUJwEWhZ6IGqkaiMPY2LAolLbmM40wDQYJKoZIhvcNAQEL
BQAwLzEtMCsGA1UEAxMkVmF1bHQgQXV0aGVudGljYXRpb24gSW50ZXJtZWRpYXRl
IENBMB4XDTE4MDgyMjIwMDkwM1oXDTE5MDgyMjIwMDkzM1owEzERMA8GA1UEAxMI
dGVzdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBzYh5dW2O
hwsdENWQzuJV/wd8fBxsdLtMyMnSRZy5zp9K51nh6LX2JgyPVDgfLwMu0BGCQCkU
9TXvIqBjaHtJ5xdWI0QgL1R1jVg1z4+wVGrvpP8QVunjMlLotsZQKZIuO4a+oR2q
ETdtfV8RNZ6ks9Je96pkcG5F2vVoVvIRqmLwZVvCOPw8Viim4xpn+PV6jctp9u64
0gmraovMxD+dxJSVq/NaYcg4iHwECkf4n5VUCkdWwID5vmvHB5e2mP8S0FYJnnwZ
jWKWiiNMyJcXydNHZ6PUKMuSIOL6NpQ1Y/DA+JHxwk1o0lxJEmqyBZkNYYxjXJZy
wbHb/+447p9jAgMBAAGjggEQMIIBDDAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTHN80l8YU/49LQ0TATjlZA
9+sOKDAfBgNVHSMEGDAWgBRIOMLOTFvvDuhglwL67l470u7TyjBHBggrBgEFBQcB
AQQ7MDkwNwYIKwYBBQUHMAKGK2h0dHA6Ly9tb24tZW5nLXNydi5obWUuY29tOjgy
MDAvcGtpLWF1dGgvY2EwEwYDVR0RBAwwCoIIdGVzdC5uZXQwPQYDVR0fBDYwNDAy
oDCgLoYsaHR0cDovL21vbi1lbmctc3J2LmhtZS5jb206ODIwMC9wa2ktYXV0aC9j
cmwwDQYJKoZIhvcNAQELBQADggIBADkRr9HJof2xSlCIMeRMP5pxQqK+Lkowtind
XJnSDZRvGLrEvDJ6o6KjGFyqbh4gchpzm9QJfX4HZuEEx8Nc0AP8EWeP4gBev1/i
DBjOH0YK/u7osED4gBCzGtMHfs74z2hW44796c58fDKIeldSsf4QQfbNpqXJaECW
Y8Ta1Vb5W9s/FLt7tgUcBzq8UeRU2w2NogmOHmhNGAIxuOe6WYg3rDzQbalRtlV4
AiXXNn5KdGvH2Pw6ma56IdBHhS/UweY4y1Xv8TQJIuCIjeGXu3VOEkZq5LGlJre+
trmXouua+DM+Iwx3dKSGbAg/xt6Ud8MOqRKmgpWOUposms2sPOSf0HYDJvGUO1+h
kuHkmSXI4kmK3S8Mgl6gtcKksVDf26W1BUOpcHBFCQ4r54jlCXOy/bozPMqA2GCC
9FJbIPeeSCuytPPOsFxovxOSavgRYwcu8jzwor1LMqScCsVCBbwEcVrn05+6h4OC
crDzXOVzudZZY/BvYFBryzUOOWFtpKj1nBHvnmN+lQj7Mc/NitWakUZRT+KjZKIX
1tubSL/xK5/yQ9P0c4gT8tkrKAujI+xVeDDHHAAczvHrFLa/aFUiLGjEprJnSZ1m
664qRIUyDxomTMWJveJ1m4Om3WmihY3ceu5WFacNTyJ3lt+BU7gMYZKiFeL7hHtX
jBS+2fIZ
-----END CERTIFICATE-----
Jeff Mitchell
Aug 23, 2018, 5:02:23 PM8/23/18
to Vault
Hi Claude,
I just noticed - in your command you are passing in '-certificate=@...' instead of just 'certificate=@....'. Note the leading hyphen.
Best,
Jeff
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/84efa737-d494-4701-aaa9-50e1e51c64ef%40googlegroups.com.
Claude Chausse-ccr
Aug 23, 2018, 5:07:00 PM8/23/18
to Vault
That was it.
I can't believe I did not notice.
I can't believe I did not notice.
The error message was not helping much but anyway now I am a happy man.
Thank you so much.
Reply all
Reply to author
Forward
0 new messages