Error: failed to decode PEM block in the certificate

3,741 views
Skip to first unread message

da...@smartbit.be

unread,
Nov 7, 2017, 9:34:58 AM11/7/17
to Vault
Hi all

I want to setup a LDAP authentication backend with TLS enabled. So in the LDAP config I specify:

{
...
"starttls":"true",
"certificate":"certificate.pem" 
...

When I want to apply the config with the command: curl --header "X-Vault-Token:token" --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/ldap/config I'll get the error: {"errors":["failed to decode PEM block in the certificate"]}.

The certificate comes from a Vault pki backend after setting up a certificate authority with the command: curl --request GET http://127.0.0.1:8200/v1/pki/ca/pem and looks like:

-----BEGIN CERTIFICATE-----
MIIFKTCCAxGgAwIBAgIUe9JxyceDHK2AOxyjiHqdMm5zzh8wDQYJKoZIhvcNAQEL
...
qrDvkKv+tL8VdgNsMtemjoYSJB3ZEs6gXlWCN7w=
-----END CERTIFICATE-----

Any ideas what I'm doing wrong here?

Regards
Davy

Chris Hoffman

unread,
Nov 7, 2017, 9:41:24 AM11/7/17
to vault...@googlegroups.com
You will need to provide the JSON encoded text of your certificate in the "certificate" field to the LDAP config options instead of the filename.  The CLI does this for you if you provide the parameter "certificate=@certificate.pem".

Chris

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9ea92842-9d36-4b78-8c1c-cd62b4bf592a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

David B

unread,
Dec 13, 2017, 11:39:41 AM12/13/17
to Vault
Can you provide an example using the API?  I'm using curl on windows to configure the ldap backend and applying it as davy says, getting the same error.  LDAP config works otherwise is:

{
  "binddn": "CN=foo,DC=domain,DC=com",
  "bindpass": "12345",
  "userdn": "ou=DC=domain,DC=com",
  "userattr": "samaccountname",
  "deny_null_bind": true,
  "groupattr": "memberOf",
  "groupdn": "ou=blah,DC=domain,DC=com",
  "groupfilter": "(&(objectClass=person)(uid={{.Username}}))",
  "insecure_tls": false,
  "starttls": true,
  "tls_max_version": "tls12",
  "tls_min_version": "tls12",
  "url": "ldap://server.com",
  "certificate": "C:\\Users\\path\\vault.pem"
}

thanks

On Tuesday, November 7, 2017 at 9:41:24 AM UTC-5, Chris Hoffman wrote:
You will need to provide the JSON encoded text of your certificate in the "certificate" field to the LDAP config options instead of the filename.  The CLI does this for you if you provide the parameter "certif...@certificate.pem".

Jeff Mitchell

unread,
Dec 13, 2017, 2:05:41 PM12/13/17
to Vault
Hi David,

On Wed, Dec 13, 2017 at 11:39 AM, David B <dbloc...@gmail.com> wrote:
Can you provide an example using the API?  I'm using curl on windows to configure the ldap backend and applying it as davy says, getting the same error.  LDAP config works otherwise is:

{
  "binddn": "CN=foo,DC=domain,DC=com",
  "bindpass": "12345",
  "userdn": "ou=DC=domain,DC=com",
  "userattr": "samaccountname",
  "deny_null_bind": true,
  "groupattr": "memberOf",
  "groupdn": "ou=blah,DC=domain,DC=com",
  "groupfilter": "(&(objectClass=person)(uid={{.Username}}))",
  "insecure_tls": false,
  "starttls": true,
  "tls_max_version": "tls12",
  "tls_min_version": "tls12",
  "url": "ldap://server.com",
  "certificate": "C:\\Users\\path\\vault.pem"
}

Remember, the Vault server is being given this block -- it doesn't have access to local paths. What you need in the certificate field is the actual contents of that vault.pem file (with newlines properly escaped), something like "=====BEGIN CERTIFICATE=====\nXYWKDLW......"

Best,
Jeff 

David B

unread,
Dec 13, 2017, 4:18:07 PM12/13/17
to Vault
Thanks - I inserted the contents of the pem file as a long string having removed newlines and the values were successfully written to the vault config.
Now when authenticating I get this error:

* error connecting to host "ldap://servercom": LDAP Result Code 2
00 "Network Error": TLS handshake failed (x509: certificate signed by unknown authority)

the cert is from a known CA - other certs from this CA are used throughout our organization.  Any thoughts?

Thanks

Jeff Mitchell

unread,
Dec 28, 2017, 11:24:56 AM12/28/17
to Vault
Hi David,

My guess is that it's not the correct certificate. Is it the CA certificate that was used to issue the LDAP server's TLS certificate?

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/58754a43-3220-41a9-a056-9776a1ec8067%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages