英文:
Hashicorp Vault fails to start when using Godaddy certificate
问题
I am trying to get the Hashicorp Vault UI to use HTTPS. I have a certificate from Godaddy which works on the same machine in apache2.
My vault.hcl file looks as follows
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/123xxx321.crt"
tls_key_file = "/godaddy_certs/privatekey.key"
tls_disable = "false"
}
However I read here that I cannot simply use the certificate that was provided by Godaddy. That reference say the following:
>To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.
Now I am assuming that the "primary certificate" referred to here is the 123xxx321.crt file that was provided from Godaddy. Godaddy also include a gd_bundle-g2-g1.crt file.
So I thought I could just create a new file called myVaultCert.crt and copy the PEM string from 123xxx321.crt which looks like this:
-----BEGIN CERTIFICATE-----
MIIG ... /0I=
-----END CERTIFICATE-----
into the top position and then afterwards copy the PEM string from the gd_bundle-g2-g1.crt file.
So myVaultCert.crt now looks something like
-----BEGIN CERTIFICATE-----
MIIG36F ... /0I=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADC ... v08=
-----END CERTIFICATE-----
I change my vault.hcl config to look as follows:
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/myVaultCert.crt"
tls_key_file = "/godaddy_certs/privatekey.key"
tls_disable = "false"
}
When I run sudo systemctl start vault.service I get the following returned:
>Job for vault.service failed because the control process exited with error code.
See "systemctl status vault.service" and "journalctl -xe" for details.
When I check journalctl -xe I see this
>Error initializing listener of type tcp: error loading TLS cert: decoded PEM is blank
So I went to Godaddy and saw there is a repository with links to root certificates and bundles etc etc. I have tried to copy the certificate that was provided folowed by several Certificates found in that repository but they all give me the same error.
What certificates must I concatenate so that I can use a Godaddy certificate with Hashicorp Vault?
I have looked at these questions alrady but they do not seem to have the same issue as what I am experiencing.
64697238 | 48791816
英文:
I am trying to get the Hashicorp Vault UI to use HTTPS. I have a certificate from Godaddy which works on the same machine in apache2.
My vault.hcl file looks as follows
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/123xxx321.crt"
tls_key_file = "/godaddy_certs/privatekey.key"
tls_disable = "false"
}
However I read here that I cannot simply use the certificate that was provided by Godaddy. That reference say the following:
>To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.
Now I am assuming that the "primary certificate" referred to here is the 123xxx321.crt file that was provided from Godaddy. Godaddy also include a gd_bundle-g2-g1.crt file.
So I thought I could just create a new file called myVaultCert.crt and copy the PEM string from 123xxx321.crt which looks like this:
-----BEGIN CERTIFICATE-----
MIIG ... /0I=
-----END CERTIFICATE-----
into the top position and then afterwards copy the PEM string from the gd_bundle-g2-g1.crt file.
So myVaultCert.crt now looks something like
-----BEGIN CERTIFICATE-----
MIIG36F ... /0I=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADC ... v08=
-----END CERTIFICATE-----
I change my vault.hcl config to look as follows:
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/myVaultCert.crt"
tls_key_file = "/godaddy_certs/privatekey.key"
tls_disable = "false"
}
When I run sudo systemctl start vault.service I get the following returned:
>Job for vault.service failed because the control process exited with error code.
See "systemctl status vault.service" and "journalctl -xe" for details.
When I check journalctl -xe I see this
>Error initializing listener of type tcp: error loading TLS cert: decoded PEM is blank
So I went to Godaddy and saw there is a repository with links to root certificates and bundles etc etc. I have tried to copy the certificate that was provided folowed by several Certificates found in that repository but they all give me the same error.
What certificates must I concatenate so that I can use a Godaddy certificate with Hashicorp Vault?
I have looked at these questions alrady but they do not seem to have the same issue as what I am experiencing.
64697238 | 48791816
答案1
得分: 0
> error loading TLS cert: decoded PEM is blank
这部分内容翻译如下:
> 错误加载TLS证书:解码后的PEM为空
This is what I did to get Vault to work using a godaddy certificate.
这是我使用Godaddy证书使Vault正常工作的步骤:
-
I received a generated-private-key.txt when I setup the certificate on the Godaddy website.
当我在Godaddy网站上设置证书时,我收到了一个名为generated-private-key.txt的文件。
-
I then downloaded the zip file from Godaddy which contained 3 files.
然后,我从Godaddy下载了一个包含3个文件的ZIP文件。
- 123xxx321.crt
- 123xxx321.pem
- gd_bundle-g2-g1.crt
-
I combined the primary certificate with the intermediate certificate into one file.
我将主要证书与中间证书合并为一个文件。
cat 123xxx321.crt gd_bundle-g2-g1.crt > myCert.crt
-
I removed the 4th certificate in the myCert.crt file.
我从myCert.crt文件中删除了第四个证书。
此文件中的第四个证书是多余的 - 因为它是一个自签名的根证书,所以无法将信任从一个CA链接到另一个CA。包含它并不会有害,但会使每个TLS连接设置略微变长,没有任何好处。
-
I copied the text out of the generated-private-key.txt file that was provided from Godaddy and pasted it into a myPrivateKey.pem file.
我从Godaddy提供的generated-private-key.txt文件中复制了文本,并将其粘贴到myPrivateKey.pem文件中。
-
I change my vault.hcl file to look as follows:
我修改了我的vault.hcl文件如下:
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/myCert.crt"
tls_key_file = "/godaddy_certs/myPrivateKey.pem"
tls_disable_client_certs = "true" # <-- Still checking if this is necessary
}
-
Started vault
sudo systemctl start vault.service启动Vault:
sudo systemctl start vault.service
Viola! ... It started with no errors. I was able to browse to the correct url and I can see that it is secured by Godaddy.
哇!... 它已经启动了,没有错误。我能够浏览到正确的URL,我可以看到它由Godaddy保护。
Hope this helps someone. I know I will need to refer to it in the future again!
希望这对某人有帮助。我知道将来我会再次需要参考这些步骤!
英文:
> error loading TLS cert: decoded PEM is blank
is completly missleading. The problem was actually with my privatekey.key.
This is what I did to get Vault to work using a godaddy certificate.
- I received a generated-private-key.txt when I setup the certificate on the Godaddy website.
- I then downloaded the zip file from Godaddy which contained 3 files.
- 123xxx321.crt
- 123xxx321.pem
- gd_bundle-g2-g1.crt
- I combined the primary certificate with the intermediate certificate into one file.
cat 123xxx321.crt gd_bundle-g2-g1.crt > myCert.crt
- I removed the 4th certificate in the myCert.crt file.
>The 4th certificate in this file is redundant - as it is a self-signed root certificate, so cannot link trust from one CA to another. Including it is not harmful, but does make every TLS connection setup slightly longer for no benefit. - I copied the text out of the generated-private-key.txt file that was provided from Godaddy and pasted it into a myPrivateKey.pem file.
- I change my vault.hcl file to look as follows:
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/myCert.crt"
tls_key_file = "/godaddy_certs/myPrivateKey.pem"
tls_disable_client_certs = "true" # <-- Still checking if this is necessary
}
- Started vault
sudo systemctl start vault.service
Viola! ... It started with no errors. I was able to browse to the correct url and I can see that it is secured by Godaddy.
Hope this helps someone. I know I will need to refer to it in the future again!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论