Raft join from CLI seems to be ignoring -tls-skip-verify #7269
Comments
|
I have the very same issue but not limited with that. The cluster is using the very same certificate on all the nodes. So that, I've tried to set When I checked what options I have with
I've also added I also added the CA to the trusted chain. While curl-ing the API is OK without |
|
I've got the same error. But I use not a self-signed certificate. Instead, I configure Vault nodes with a certificates chain (server certificate + root CA certificate). |
|
Seems like this PR fixes the bug https://github.com/hashicorp/vault/pull/7393/files/81e2f5c310c2623f8af88ba5c93b538d44746e70 |
|
Whoa! Nice catch @krabradosty and thanks for the ping. On the PR, it seems tagged for the release 1.2.3 but still not in the CHANGELOG unfortunately. I'm pretty sure will be released with the new version 🤞 |
* Add the ca cert to the root bundle with an initcontainer
* this works around this issue: hashicorp/vault#7269
* it also makes initial setup a little simpler because you don't need to pass the ca cert
* Provide the config as an environment variable; this seems cleaner to me than sed
* Run vault with dumb-init to catch zombies
* Add a sidecar to unseal vault
* if there's no key provided, assume this is the first run and block
* rather than adding logic to confirm if the server is up and sealed,
wait a reasonable amount of time and then unseal; if it fails then rely
on kube's retry logic rather than adding our own
|
Closing this since #7393 has been merged. |
We were adding the vault ca cert to the root ca bundle for two reasons: - To workaround this issue with raft join: hashicorp/vault#7269 - To make things simpler when manually bootstrapping vault by removing the need to specify the path to the ca cert on the command line Now that we're automatically bootstrapping the cluster and the issue is fixed, we can get rid of it.
We were adding the vault ca cert to the root ca bundle for two reasons: - To workaround this issue with raft join: hashicorp/vault#7269 - To make things simpler when manually bootstrapping vault by removing the need to specify the path to the ca cert on the command line Now that we're automatically bootstrapping the cluster and the issue is fixed, we can get rid of it.
We were adding the vault ca cert to the root ca bundle for two reasons: - To workaround this issue with raft join: hashicorp/vault#7269 - To make things simpler when manually bootstrapping vault by removing the need to specify the path to the ca cert on the command line Now that we're automatically bootstrapping the cluster and the issue is fixed, we can get rid of it.
We were adding the vault ca cert to the root ca bundle for two reasons: - To workaround this issue with raft join: hashicorp/vault#7269 - To make things simpler when manually bootstrapping vault by removing the need to specify the path to the ca cert on the command line Now that we're automatically bootstrapping the cluster and the issue is fixed, we can get rid of it.
Describe the bug
When we have TLS enabled on a listener with a self signed cert, we are unable to join raft node due to cert signed by unknown authority error. It seems to be ignoring the -skip-tls-verify flag.
To Reproduce
[vault@Vault-002 ~]$ vault operator raft join -tls-skip-verify https://10.255.12.209:8200
Error joining the node to the raft cluster: Error making API request.
URL: POST https://127.0.0.1:8200/v1/sys/storage/raft/join
Code: 500. Errors:
Expected behavior
I expect it to trust the unknown authority and join the cluster
Environment:
vault status): 1.2.0vault version): 1.2.0Vault server configuration file(s):
Additional Info
I also tried setting VAULT_SKIP_VERIFY env variable with no luck
The text was updated successfully, but these errors were encountered: