Use cURL to POST PEM certificates to Vault

Yarden Bar

unread,

Jun 28, 2018, 4:57:50 AM6/28/18

to Vault

Hi all,
Before jumping in I'd like to say that I did my searching, research and experiments and still failed.
Appreciate your help :)

This sounds trivial, but I can't POST PEM certificates to auth/kubernetes/config .

Getting:

{"errors":["data does not contain any valid RSA or ECDSA public keys"]}

Example cURL:

VAULT_HOST/v1/auth/kubernetes/config -d@/tmp/k8s-vault

Example payload:

{"kubernetes_host": "K8S_HOST", "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----MIIDUjCCAjqgAwIBAgIUMM05pORHDwRwvDWywHq+NsJgjpcwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAxMUazhzIFBLSSBzZWNyZXQgc3RvcmUwHhcNMTgwNjI4MDU1MjE2WhcNMTkwNjI4MDU1MjQ2WjAfMR0wGwYDVQQDExRrOHMgUEtJIHNlY3JldCBzdG9yZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANNAe6SxRFKLC7QkPfXcLF2XiqShB74NBZH3FhYvRDr8RDsRCllpdoc3FrAsGDwzHayk36P+X/m0IFE+BRhG9AsxP6CyYT7qHNvLyUFzVZdYVj6TOY4g1rTG6+0tSXNnIMsszhzE8fKxg5arogmMeJ1ucpvVezvmRdwv0Z1OOQHxTcypwzdP6v1tg9VYiIauGtr+94ZBGhbVU89m885bkJUrJAWyYi1oxUfKWK+CfFybm4sucSlXzB7JkqIIpJAHzbvLFkL6akw4WgtOuKz+BwJydvhHTlicPavnwpISm9OKD7173NXOOgWmW2tCRKD7F8+zF2EZkN+TSUrC3XyfcnsCAwEAAaOBhTCBgjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUcRosvIStdJq9CSjlKipeuwAIjIwwHwYDVR0jBBgwFoAUcRosvIStdJq9CSjlKipeuwAIjIwwHwYDVR0RBBgwFoIUazhzIFBLSSBzZWNyZXQgc3RvcmUwDQYJKoZIhvcNAQELBQADggEBALokC3eFZi+sJuYhcTNTZlUMyVX1Azu8VIrFV0egAMLPr087Oqroki9WRLyNWHnJJ6YhLKFEGmrSmugfQJfsVYikCE2Gaw323ZAXe3ogkd7V6lHh/J0QKNxVSqq9xAWqh2mjMFjSXHjYGC6jMb4gskSmgG+3UNo7ZylaHYaZDMbHTcVoWUBJPG0lr8M2VFpJp1T2D4j6xv+wIblrzsb3/EVrQ3FrQNpjhKi/rQL4zc5wg7DeonGnzEEAoASSb6QC7uY1I2fCub2aQ2QByxD72O7arREVGc5wgnAD5o/e4Vmj3UaOMwhGqoRzsJm3mAXgtx8yTxmugfru6p5B5vs1iAU=-----END CERTIFICATE-----", "pem_keys":"-----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIUSc1tbAvjeXujSsFymdRy67QrPO4wDQYJKoZIhvcNAQEL BQAwHzEdMBsGA1UEAxMUazhzIFBLSSBzZWNyZXQgc3RvcmUwHhcNMTgwNjI4MDU1 MjIxWhcNMTgxMjI1MDU1MjUxWjB5MSQwDQYDVQQKEwZWTXdhcmUwEwYDVQQKEwx0 b2tlbi1zaWduZXIxOzAXBgNVBAsTEENsb3VkIE1hbmFnZW1lbnQwIAYDVQQLExlD bG91ZCBTZXJ2aWNlcyBPcGVyYXRpb25zMRQwEgYDVQQDEwt0b2tlbnNpZ25lcjCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN85q9kOOKaC5siOdkvrfRBh DuqWsw4hktJIzHnaQmXEfn0yIDSRJcL/bJEdCLpyg4fhqagYO+RUt/RcAnsoLVMi uYqpHxHKIMJgm7PUmyAH+huu9fAv1zE0h2r15Rp3qnygZohPZblTJFC6+VPppQRz UzOf5SXY6cz1D8B9URNUDOtz4xzdDq0av2kBdtpSY//VQApV+5Nylxx+JIBzM/Dd ig/RCEH3arIfsQ/ZmQaFOoLdpqgPXBXZAeq4Z4mcDUcMyrnjrY7scG1P0B0/2Kus BbQKnvxJ0Ghsu/5+p/dxfZ5467a6erlYgPofZXYyfynS4F1ZUnF2XQlG5nwT/CsC AwEAAaOBlDCBkTAOBgNVHQ8BAf8EBAMCA6gwJwYDVR0lBCAwHgYIKwYBBQUHAwEG CCsGAQUFBwMCBggrBgEFBQcDAzAdBgNVHQ4EFgQU5/dO/8Q9em2wLZb1ySiGJzCS NaowHwYDVR0jBBgwFoAUcRosvIStdJq9CSjlKipeuwAIjIwwFgYDVR0RBA8wDYIL dG9rZW5zaWduZXIwDQYJKoZIhvcNAQELBQADggEBAAtQktlxcQbxS+WqBVAWpQA0 7/1V+U+QNxkCoK+4dekss/LzQUoGAGLfnaTDMa5UXl7gu9DGfI9GvcN6p0tW/9ay F7ENpOtJHjVvd5MyuIkV2xoaRebltUnPZ6O2AfCa9prJvCetc0UHpe5Wo5BZuArU G1PAdSOIiwGNiQp9vmqJbw9YljCnj1QNOQRlJM6j87BDarBdb3jsONiWh5VHwLii xltNrZ9by9jjH7grfqjJ8/c1PlJjUrhcZGEsadVVx6pOKcW8b8dDWHkRwNuJRpiA QPVdKBLeXFvWC5tUAgQSmU2OfokKTURospCCkzGSIkosJmyXNrgtcBd9ZwNUouI= -----END CERTIFICATE-----"}

I've validated the JSON object using jq utility.

Thank you in advance,

Yarden

Jeff Mitchell

unread,

Jun 28, 2018, 6:00:02 AM6/28/18

to Vault

Hi there,

You are missing newlines between the data and the begin/end blocks. These are mandatory for PEM. You need to add them in, escaped (`\n`).

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/63649e33-c76d-4b0e-a289-4c7b4d0888ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yarden Bar

unread,

Jun 28, 2018, 6:14:38 AM6/28/18

to Vault

Hi Jeff,

Thank you for your quick reply,

In one of my tests, I generated the JSON object using:

{"kubernetes_host": "K8S_HOST", "kubernetes_ca_cert": "$(cat /path/to/k8s/ca.crt)", "pem_keys": "$(cat /path/to/token/signer.crt)"}

Then I got EOF errors.

How do I properly format the JSON object ?

Tony Carter

unread,

Jun 28, 2018, 9:14:45 AM6/28/18

to Vault

Yarden,

I base64 encode/decode the cert so I don't have to worry about the newlines..

* generate a temp cert

openssl req -subj '/CN=domain.com/O=My Company Name LTD./C=US' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

* add cert to environment variable

linux: CERT=$(base64 -w0 sercert.crt)

mac: CERT=$(base64 -i server.crt)

* add it to vault

curl -s -k -H "Content-Type: application/json" -H "X-Vault-Token: $VAULT_TOKEN" -X POST -d "{\"value\":\"$CERT\"}" $VAULT_ADDR/v1/secret/test/server

* read it back

linux: curl -s -k -H "Content-Type: application/json" -H "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/test/server | jq -r '.data.value' | base64 -d

mac: curl -s -k -H "Content-Type: application/json" -H "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/test/server | jq -r '.data.value' | base64 -D

Yarden Bar

unread,

Jun 28, 2018, 9:20:05 AM6/28/18

to Vault

Thank you! Tony, for the detailed reply.

I'll experiment and report back.

TTYL,

Yarden

Roee Landesman

unread,

Jul 10, 2018, 1:09:16 PM7/10/18

to Vault

Tagging in here... thank you for this thread! Saved me a lot of headaches :)

Reply all

Reply to author

Forward