Hashicorp Vault 在使用 Godaddy 证书时无法启动。

huangapple go评论71阅读模式
英文:

Hashicorp Vault fails to start when using Godaddy certificate

问题

I am trying to get the Hashicorp Vault UI to use HTTPS. I have a certificate from Godaddy which works on the same machine in apache2.

My vault.hcl file looks as follows

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/godaddy_certs/123xxx321.crt"
  tls_key_file = "/godaddy_certs/privatekey.key"
  tls_disable = "false"
}

However I read here that I cannot simply use the certificate that was provided by Godaddy. That reference say the following:

>To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.

Now I am assuming that the "primary certificate" referred to here is the 123xxx321.crt file that was provided from Godaddy. Godaddy also include a gd_bundle-g2-g1.crt file.

So I thought I could just create a new file called myVaultCert.crt and copy the PEM string from 123xxx321.crt which looks like this:

-----BEGIN CERTIFICATE-----
MIIG ... /0I=
-----END CERTIFICATE-----

into the top position and then afterwards copy the PEM string from the gd_bundle-g2-g1.crt file.

So myVaultCert.crt now looks something like

-----BEGIN CERTIFICATE-----
MIIG36F ... /0I=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADC ... v08=
-----END CERTIFICATE-----

I change my vault.hcl config to look as follows:

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/godaddy_certs/myVaultCert.crt"
  tls_key_file = "/godaddy_certs/privatekey.key"
  tls_disable = "false"
}

When I run sudo systemctl start vault.service I get the following returned:

>Job for vault.service failed because the control process exited with error code.
See "systemctl status vault.service" and "journalctl -xe" for details.

When I check journalctl -xe I see this

>Error initializing listener of type tcp: error loading TLS cert: decoded PEM is blank

So I went to Godaddy and saw there is a repository with links to root certificates and bundles etc etc. I have tried to copy the certificate that was provided folowed by several Certificates found in that repository but they all give me the same error.

What certificates must I concatenate so that I can use a Godaddy certificate with Hashicorp Vault?

I have looked at these questions alrady but they do not seem to have the same issue as what I am experiencing.
64697238 | 48791816

英文:

I am trying to get the Hashicorp Vault UI to use HTTPS. I have a certificate from Godaddy which works on the same machine in apache2.

My vault.hcl file looks as follows

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/godaddy_certs/123xxx321.crt"
  tls_key_file = "/godaddy_certs/privatekey.key"
  tls_disable = "false"
}

However I read here that I cannot simply use the certificate that was provided by Godaddy. That reference say the following:

>To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.

Now I am assuming that the "primary certificate" referred to here is the 123xxx321.crt file that was provided from Godaddy. Godaddy also include a gd_bundle-g2-g1.crt file.

So I thought I could just create a new file called myVaultCert.crt and copy the PEM string from 123xxx321.crt which looks like this:

-----BEGIN CERTIFICATE-----
MIIG ... /0I=
-----END CERTIFICATE-----

into the top position and then afterwards copy the PEM string from the gd_bundle-g2-g1.crt file.

So myVaultCert.crt now looks something like

-----BEGIN CERTIFICATE-----
MIIG36F ... /0I=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADC ... v08=
-----END CERTIFICATE-----

I change my vault.hcl config to look as follows:

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/godaddy_certs/myVaultCert.crt"
  tls_key_file = "/godaddy_certs/privatekey.key"
  tls_disable = "false"
}

When I run sudo systemctl start vault.service I get the following returned:

>Job for vault.service failed because the control process exited with error code.
See "systemctl status vault.service" and "journalctl -xe" for details.

When I check journalctl -xe I see this

>Error initializing listener of type tcp: error loading TLS cert: decoded PEM is blank

So I went to Godaddy and saw there is a repository with links to root certificates and bundles etc etc. I have tried to copy the certificate that was provided folowed by several Certificates found in that repository but they all give me the same error.

What certificates must I concatenate so that I can use a Godaddy certificate with Hashicorp Vault?

I have looked at these questions alrady but they do not seem to have the same issue as what I am experiencing.
64697238 | 48791816

答案1

得分: 0

> error loading TLS cert: decoded PEM is blank

这部分内容翻译如下:

> 错误加载TLS证书:解码后的PEM为空

This is what I did to get Vault to work using a godaddy certificate.

这是我使用Godaddy证书使Vault正常工作的步骤:

  1. I received a generated-private-key.txt when I setup the certificate on the Godaddy website.

    当我在Godaddy网站上设置证书时,我收到了一个名为generated-private-key.txt的文件。

  2. I then downloaded the zip file from Godaddy which contained 3 files.

    然后,我从Godaddy下载了一个包含3个文件的ZIP文件。

    • 123xxx321.crt
    • 123xxx321.pem
    • gd_bundle-g2-g1.crt
  3. I combined the primary certificate with the intermediate certificate into one file.

    我将主要证书与中间证书合并为一个文件。

cat 123xxx321.crt gd_bundle-g2-g1.crt > myCert.crt

  1. I removed the 4th certificate in the myCert.crt file.

    我从myCert.crt文件中删除了第四个证书。

    此文件中的第四个证书是多余的 - 因为它是一个自签名的根证书,所以无法将信任从一个CA链接到另一个CA。包含它并不会有害,但会使每个TLS连接设置略微变长,没有任何好处。

  2. I copied the text out of the generated-private-key.txt file that was provided from Godaddy and pasted it into a myPrivateKey.pem file.

    我从Godaddy提供的generated-private-key.txt文件中复制了文本,并将其粘贴到myPrivateKey.pem文件中。

  3. I change my vault.hcl file to look as follows:

    我修改了我的vault.hcl文件如下:

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/godaddy_certs/myCert.crt"
  tls_key_file = "/godaddy_certs/myPrivateKey.pem"
  tls_disable_client_certs = "true" # <-- Still checking if this is necessary
}
  1. Started vault sudo systemctl start vault.service

    启动Vault:sudo systemctl start vault.service

Viola! ... It started with no errors. I was able to browse to the correct url and I can see that it is secured by Godaddy.

哇!... 它已经启动了,没有错误。我能够浏览到正确的URL,我可以看到它由Godaddy保护。

Hope this helps someone. I know I will need to refer to it in the future again!

希望这对某人有帮助。我知道将来我会再次需要参考这些步骤!

英文:

> error loading TLS cert: decoded PEM is blank

is completly missleading. The problem was actually with my privatekey.key.

This is what I did to get Vault to work using a godaddy certificate.

  1. I received a generated-private-key.txt when I setup the certificate on the Godaddy website.
  2. I then downloaded the zip file from Godaddy which contained 3 files.
    • 123xxx321.crt
    • 123xxx321.pem
    • gd_bundle-g2-g1.crt
  3. I combined the primary certificate with the intermediate certificate into one file.
cat 123xxx321.crt gd_bundle-g2-g1.crt > myCert.crt
  1. I removed the 4th certificate in the myCert.crt file.
    >The 4th certificate in this file is redundant - as it is a self-signed root certificate, so cannot link trust from one CA to another. Including it is not harmful, but does make every TLS connection setup slightly longer for no benefit.
  2. I copied the text out of the generated-private-key.txt file that was provided from Godaddy and pasted it into a myPrivateKey.pem file.
  3. I change my vault.hcl file to look as follows:
# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/godaddy_certs/myCert.crt"
  tls_key_file = "/godaddy_certs/myPrivateKey.pem"
  tls_disable_client_certs = "true" # <-- Still checking if this is necessary
}
  1. Started vault sudo systemctl start vault.service

Viola! ... It started with no errors. I was able to browse to the correct url and I can see that it is secured by Godaddy.

Hope this helps someone. I know I will need to refer to it in the future again!

huangapple
  • 本文由 发表于 2023年5月17日 21:36:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/76272733.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定