How to use VAULT_SSL_CA / does it work?

[rlueckl]

Sorry for the noob question, but how do I use the setting "VAULT_SSL_CA"? My vault uses an internal CA for which I have the issuer certificate.

I started my Docker container like this:

docker run -p 80:80 -e VAULT_ADDR=https://vault.address.lan:8200/ -e AUTH_METHODS=LDAP -e VAULT_SSL_CA=/path/to/issuer_ca.crt nyxcharon/vault-ui:latest

But when I try to login, I get the following error on the console:

[pid: 24|app: 0|req: 1/2] xxx.xxx.xxx.xxx () {40 vars in 669 bytes} [Tue Dec  6 14:53:21 2016] GET /login?next=http%3A%2F%2Flocalhost%2F => generated 2571 bytes in 31 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 0)
Error logging in: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Also, you should check your README.md, it says:
"Full path to the SSL certificate authority used to verify VAUT_URL's cert when it uses https."
Should be:
"Full path to the SSL certificate authority used to verify VAULT_ADDR's cert when it uses https."

[nyxcharon]

Are you bundling the cert for vault with your CA cert? There are separate settings for the cert vault uses along with it's key. You appear to be only passing the CA cert which is used for verification and not the actual cert vault uses (VAULT_SSL_CERT)

These values are basically the same as what is used on the vault cli - VAULT_CAPATH, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY https://www.vaultproject.io/docs/commands/environment.html

VAULT_SSL_CERT - Full path to the SSL cert used for https support
VAULT_SSL_KEY - Full path to the SSL key used for the https support
VAULT_SSL_CA - Full path to the SSL certificate authority used to verify VAULT_ADDR's cert when it uses https.

[rlueckl]

Sorry, I don't really understand what you mean. I'm trying to connect to a Vault. The Vault is not mine and therefore I don't have the SSL certificate and key. Why would I even need the SSL certificate and key of the Vault on client side?

I only have the Issuer's CA certificate so I can verify that the certificate which Vault is delivering is signed by the CA. (Just like any other HTTPS site on the Internet.)

[matthewmrichter]

These options are for enabling SSL/https to the vault-ui URL, not for handshaking with the vault server, as far as I understand. The SSL handshake between vault-ui and vault is just handled as part of an https transaction, like how you visit https://github.com even though you don't have the SSL key, etc.

Try just not using the VAULT_SSL_CA parameter and see what happens. Or, if you need https for vault-ui specifically, find the domain cert, ca cert, and private key for the domain URL you will be accessing vault-ui at. If you're running it with local host on a local docker container, don't worry about it.

[rlueckl]

With VAULT_SSL_CA set to the CA cert or with VAULT_SSL_CA not set, I get:

[pid: 16|app: 0|req: 1/2] xxx.xxx.xxx.xxx () {40 vars in 669 bytes} [Tue Dec  6 14:56:34 2016] GET /login?next=http%3A%2F%2Flocalhost%2F => generated 2571 bytes in 32 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 0)
Error logging in: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

The only thing I can do is to use VAULT_SKIP_VERIFY=true.

According to the source code of vault-ui and havc "VAULT_SSL_CERT" and "VAULT_SSL_KEY" are used for client certificate based authentication (both are give to the Vault client connection). They are not used to make vault-ui reachable via HTTPS.

[matthewmrichter]

Is the cert valid on the vault server?

[rlueckl]

The certificate is valid, but it it signed by an internal CA.

I have the CA certificate in my /etc/ssl/certs directory, in /etc/ssl/certs/ca-certificates.crt and in the Firefox CA "repository". So basically any and all software which uses the "standard" CA locations on Linux will find the CA certificate and will be able to validate the Vault's certificate.

Since I don't know which CA location(s) Docker/vault-ui use I tried to use the VAULT_SSL_CA property and give the file directly.