Vault /pki/issue doesn't work

[Mycraft Yue]

Hi guys,

Now I want to sign a certificate which was generated by myself. First I made a json file which looks like this:

 

{

"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICoDxxx\n-----END CERTIFICATE REQUEST-----",

"ip_sans": "127.0.0.1"

}

I post this json file to https://127.0.0.1:8200/v1/testpki/sign/superroot, then I got an error message: 

{"errors":["Unknown role: superroot"]}

But in fact, I created this role using root_token before this operation, what happened to me?

Thanks

[Jeff Mitchell]

Hi Mycraft,

Please share more details -- the exact commands you used would be helpful. Right now based on the error message the only thing I can suggest is what you say is not the problem, which is that the role was not actually created.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d76216ab-3e2b-4c16-8a77-4df5d4649024%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mycraft Yue]

Hi Jeff,

Nice to meet you again! First thank you for helping me on github a couple of days ago!

This time, I first create a token role by

curl --header "X-Vault-Token: $VAULT_TOKEN" --data @payload.json -X POST https://127.0.0.1:8200/v1/auth/token/roles/superroot

and the payload.json is like this

{
"allowed_policies": ["root"],
"name": "superroot"
}

After these operation, I use curl to list the roles I have created and I see there is a role named superroot.

Sincerely,

Mycraft

[Jeff Mitchell]

Hi Mycraft,

Token roles are totally different from PKI roles! Every backend has its own notion of configuration; most use "roles" as a convention. But you must configure a PKI role in order to issue certificates against it. See https://www.vaultproject.io/api/secret/pki/index.html#create-update-role

Best,

Jeff

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6775801a-5a7c-4917-add1-c4ccf754c9d4%40googlegroups.com.

[Mycraft Yue]

Hi Jeff，

That helps a lot! It seems that every backend has its own role system in vault! Thank you very much!

Best,

Mycraft