cannot curl against /v1/auth/app-id/login

[fin...@addthis.com]

I'm trying to work out how to use the app-id plugin

I have the auth endpoint enabled.

~|⇒ vault auth-enable app-id

Error: Error making API request.

URL: POST https://vault.example.local:8200/v1/sys/auth/app-id

Code: 400. Errors:

* path is already in use

But I can't curl against it.

findley@tmux:~$ curl -v --insecure --cacert example.local.ca.cert.pem -X POST -d '{"app_id":"tmux", "user_id": "cshQsGTWIu8kw"}' "https://vault.example.local:8200/v1/auth/app-id/login"

* About to connect() to vault.example.local port 8200 (#0)

*   Trying 10.15.5.29... connected

* Connected to vault.example.local (10.15.5.29) port 8200 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* warning: ignoring value of ssl.verifyhost

* NSS error -12190

* Error in TLS handshake, trying SSLv3...

> POST /v1/auth/app-id/login HTTP/1.1

> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

> Host: vault.example.local:8200

> Accept: */*

> Content-Length: 45

> Content-Type: application/x-www-form-urlencoded

> 

* Connection died, retrying a fresh connect

* Closing connection #0

* Issue another request to this URL: 'https://vault.example.local:8200/v1/auth/app-id/login'

* About to connect() to vault.example.local port 8200 (#0)

*   Trying 10.15.5.29... connected

* Connected to vault.example.local (10.15.5.29) port 8200 (#0)

* TLS disabled due to previous handshake failure

* warning: ignoring value of ssl.verifyhost

* NSS error -12190

* Closing connection #0

* SSL connect error

curl: (35) SSL connect error

What am I doing wrong?

[Vishal Nayak]

Hi,

It looks like there was a problem with the TLS handshake.

Curl is trying to establish the connection without the certificate.

Can you try without the "--insecure" option?

Regards,

Vishal

[fin...@addthis.com]

Here's a bit more context, showing that I *am* able to connect to it over https enough to query the status.

findley@asu124:~$ vault status

Sealed: false

Key Shares: 5

Key Threshold: 3

Unseal Progress: 0

High-Availability Enabled: true

        Mode: active

        Leader: https://10.15.21.29:8200

findley@asu124:~$ curl -v -X POST -d '{"app_id":"tmux", "user_id": "cshQsGTWIu8kw"}' "https://vault.example.local:8200/v1/auth/app-id/login"

* About to connect() to vault.example.local port 8200 (#0)

*   Trying 10.15.5.29... connected

* Connected to vault.example.local (10.15.5.29) port 8200 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* NSS error -12190

* Error in TLS handshake, trying SSLv3...

> POST /v1/auth/app-id/login HTTP/1.1

> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

> Host: vault.example.local:8200

> Accept: */*

> Content-Length: 45

> Content-Type: application/x-www-form-urlencoded

>

* Connection died, retrying a fresh connect

* Closing connection #0

* Issue another request to this URL: 'https://vault.example.local:8200/v1/auth/app-id/login'

* About to connect() to vault.example.local port 8200 (#0)

*   Trying 10.15.5.29... connected

* Connected to vault.example.local (10.15.5.29) port 8200 (#0)

* TLS disabled due to previous handshake failure

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* NSS error -12190

* Closing connection #0

* SSL connect error

curl: (35) SSL connect error

35 findley@asu124:~$ curl -v --cacert example.local.ca.cert.pem -X POST -d '{"app_id":"tmux", "user_id": "cshQsGTWIu8kw"}' "https://vault.example.local:8200/v1/auth/app-id/login"

* About to connect() to vault.example.local port 8200 (#0)

*   Trying 10.15.5.29... connected

* Connected to vault.example.local (10.15.5.29) port 8200 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: example.local.ca.cert.pem

  CApath: none

* NSS error -12190

* Error in TLS handshake, trying SSLv3...

> POST /v1/auth/app-id/login HTTP/1.1

> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

> Host: vault.example.local:8200

> Accept: */*

> Content-Length: 45

> Content-Type: application/x-www-form-urlencoded

>

* Connection died, retrying a fresh connect

* Closing connection #0

* Issue another request to this URL: 'https://vault.example.local:8200/v1/auth/app-id/login'

* About to connect() to vault.example.local port 8200 (#0)

*   Trying 10.15.5.29... connected

* Connected to vault.example.local (10.15.5.29) port 8200 (#0)

* TLS disabled due to previous handshake failure

*   CAfile: example.local.ca.cert.pem

  CApath: none

* NSS error -12190

* Closing connection #0

* SSL connect error

curl: (35) SSL connect error

[MJensen]

I ran into issues with "SSL connect errors" using the 7.19.+ version of curl, specifically the * Error in TLS handshake, trying SSLv3... You may need to update to a more current version of curl. I am currently using curl v7.47.1 from www.city-fan.org and it resolved those errors.

HTH,

- MJensen

[fin...@addthis.com]

Yep.  That was it.  Thanks folks!