[Newbie] Trouble mapping client authentication certificate to a policy

[Jay]

I started playing around with Vault and can get some of the things configurations and things to work by following the Getting Started documentation. 

I am interested in enabling/using certificate based authentication. 

First I created a config file --below-- where I enabled TLS (set tls_disable=0) in the listener and specified a server certificate file and key for use by Vault. Set the vault address (address parameter in listener) to have certificate common name (vault-server.fqdn below). 

listener "tcp" {

 address     = "vault-server.fqdn:8200"

 tls_disable = 0

 tls_cert_file = "./vault_server_cert.pem"

 tls_key_file = "./vault_server_key.pem"

}

I also set an environment variable VAULT_CACERT and pointed it to a root/CA certificate file that issued the above server certificate and the VAULT_ADDR env variable to "https://vault-server.fqdn:8200". These env variables were set prior to starting vault. 

I then launched Vault with above configuration file (which also had storage configured properly). It comes up fine and I initialized it, unsealed and managed to login using the root token successfully. 

I then enabled certificate auth method by doing "vault auth enable cert" which succeeded. 

I then created & wrote a policy to the vault by doing "vault policy write <my-policy-name> <path-to-policy-file>" which too was successful. 

Then I wanted to configure a certificate that could be used to authenticate/login to the vault and have it map to above policy. So I created a certificate issued by the same CA as specified in VAULT_CACERT. Then tried doing the following

vault write auth/cert/certs/vault-client-cert display_name=vault-client-cert policies=<policy-name> certificate=<path to vault-client-cert.pem>

where vault-client-cert is the CN in the certificate, <policy-name> is same policy I had configured/written to the vault above. But get the following error: 

Error writing data to auth/cert/certs/vault-client-cert: Error making API request.

URL: PUT https://vault-test.rfc1918.puppetlabs.net:8200/v1/auth/cert/certs/vault-client-cert

Code: 400. Errors:

* failed to parse certificate

The certificate is valid, openssl can read and parse it fine, has "Digital Signature, Key Encipherment" key usages. Are there any specific requirements on certificate contents?

What could be wrong? I do not see any detailed errors in the session where vault server is running at. Is there a way to configure more detailed error or log messages? Did I miss setting some (other/additional) configuration? 

thanks

Jay

  

[Jay]

Managed to get past the issue of not being able to associate a policy with a client authentication certificate. I had missed specifying "@" in front of the certificate file when doing 

vault write auth/cert/certs/<cert-name> display_name=<does-this-matter> policies=<my-policy> certificate=@path-to-certificate-file

However now when I attempt to login using the above certificate, like below, I get prompted for a token?? Am confused. Isn't the certificate authentication, if successful, create a token and associate it with the policy? That happened when I had not specified the "name" argument to the login command. 

vault login -method=cert -ca-cert=VaultCA.pem -client-cert=vault_client_cert.pem -client-key=vault_client_key.pem

When I specify "name" argument to login command above with its value set to same as what was specified in "display_name" when associating policy with this certificate, I get the following error: 

Error authenticating: Error making API request.

URL: PUT https://vault-test.rfc1918.puppetlabs.net:8200/v1/auth/cert/login

Code: 400. Errors:

* invalid certificate or no client certificate supplied

The certificate specified is same was what I associated the policy to. What could I be missing?

thanks

Jay

[Jay]

I think I figured the issue. 

One needs to specify the same name as what was configured under "auth/cert/certs/xxxxx", when associating a policy with the certificate, in the "name" parameter to the vault login. And of course the @ in the certificate file name matters when associating it with a policy

The following worked: 

ubuntu@vault-test:vaultbin$ vault write auth/cert/certs/vault-client display_name=master-vault-client-secrets policies=master-secrets certificate=@vault_client_cert.pem

Success! Data written to: auth/cert/certs/vault-client

ubuntu@vault-test:vaultbin$ vault login -method=cert -ca-cert=VaultCA.pem -client-cert=vault_client_cert.pem -client-key=vault_client_key.pem name=vault-client

The error was not very intuitive to understand and figure it first. 

thx

Jay 

On Monday, June 4, 2018 at 9:45:50 AM UTC-7, Jay wrote:

[Becca Petrin]

Thanks for pointing that out, Jay!

Yeah, I was looking at https://www.vaultproject.io/docs/auth/cert.html and I see exactly what you're talking about. The "@" for a file is only in there once, and it doesn't explicitly say that the name must tie out. The example shows them both named "web" without explaining.

I'll do a quick little PR to update those docs.

-B

[Jay]

Now that I have been able to login using certificates, I started noticing that the token generated after the login does not map to the correct policy it was configured to. 

Here is the sequence:

1. Create a new policy 

    vault policy write <friendly-policy-name> <policy-file>

2. Associate policy with a certificate 

    vault write auth/cert/certs/cert-id-name display_name=<friendly-policy-name> certificate=@certificate-file.pem

3. Login using the certificate: 

     vault login -method=cert -ca-cert=<ca-file> -client-cert=certificate-file.pem -client-key=key-file.pem name=cert-id-name (note this is same as in auth/cert/certs/cert-id-name above specified when associating the policy)

Login succeeds but its lists token_policies as [default] in the output. Shouldn't it have mapped to the above specified policy (<friendly-policy-name> in this case)? I dbl-checked by querying the token generated from above login (vault token lookup <token>) and it also shows default policy. 

Am confused and this does not look right. What could I have missed?

Is there a way to list/print the certificate to policy associations list? One can list policies, list all entries under auth/cert/certs but I cannot see a way to get the following: 

auth/cert/certs/xxx maps to policy yyyy

.....

Basically something to check what was specified during "vault write auth/cert/certs/xxx display_name=yyyy certificate=@cert-file.pem"

thx

Jay

[Becca Petrin]

Hi Jay,

Is https://www.vaultproject.io/api/auth/cert/index.html#read-ca-certificate-role what you're looking for? It includes policies for a given cert.

-B

[Jay]

Thanks Becca. I had overlooked that. 

So I queried roles for the certificates that I had mapped some policy before using 

'curl --header "X-Vault-Token: <root-token>" https://vault-test.fqdn:8200/v1/auth/cert/certs/cert-name'

That comes with a valid json response; however it too lists the policies as empty (which is why the corresponding token gets mapped to default). When creating policy mapping for the certificate, I had specified a valid/existing policy and that invocation had returned "Success! Data written to: auth/cert/certs/cert-name"

The cert-name is also valid and is listed in output of "vault list auth/cert/certs"

What gives? 

rgds, Jay  

On Monday, June 4, 2018 at 9:45:50 AM UTC-7, Jay wrote:

[Becca Petrin]

Hi Jay,

So in revisiting your earlier post, you associate a cert with a policy via:

vault write auth/cert/certs/cert-id-name display_name=<friendly-policy-name> certificate=@certificate-file.pem

In looking at the parameters listed in https://www.vaultproject.io/api/auth/cert/index.html#create-ca-certificate-role, I'm wondering if it could be that instead of using "display_name=<friendly-policy-name", you might try "policies=somepolicy,anotherpolicy". I'm not sure if your example is literal or is more of a pseudo code sort of thing, but that might be it. If it is, you'd be just seeing what Vault defaults to providing when no policy is supplied.

-B

[Jay]

Yikes! Apologies. that was a blunder on my part. At some point I forgot about the policies parameter which I now realize should have been supplied. After specifying policies when creating the mapping it now correctly lists that policy when logging in using that certificate.  

thanks for your help

Jay

[Becca Petrin]

No worries, happens all the time! Glad you got it working! -B