Unseal fails with self-signed cert #79

cookandy · 2019-09-03T22:41:48Z

Hello,

It seems vault-gatekeeper fails to unseal correctly if the certificate is self-signed.

vault-gatekeeper unseal approle --auth-app-role $ROLE_ID --auth-app-secret $SECRET_ID --gatekeeper-addr https://localhost:9201
INFO[2019-09-03T22:37:43Z] Unsealing gatekeeper at https://localhost:9201
FATA[2019-09-03T22:37:44Z] Error communicating with gatekeeper: Post https://localhost:9201/unseal: x509: certificate is valid for *.service.consul, not localhost

I didn't see any option to bypass this

Usage:
  gatekeeper unseal [method] [flags]

Flags:
      --gatekeeper-addr string      The address to gatekeeper. (default "http://localhost:9201")
      --vault-token string          Unseal gatekeeper at startup with a Vault token. (default "8809671b-9701-867e-eb29-22a6ac69795d")
      --auth-token-wrapped string   Unseal gatekeeper at startup with a Vault token that is stored with a response wrapped temp token.
      --auth-app-role string        Unseal gatekeeper at startup with a Vault token retrieved using this app role.
      --auth-app-secret string      The app role secret_id to be used.
      --auth-aws-ec2                Unseal gatekeeper at startup using EC2 login.
      --auth-aws-iam string         Unseal gatekeeper at startup using IAM login.
      --auth-aws-nonce string       AWS-EC2 nonce for repeated authentication.
      --auth-gh-token string        Vault authorized github personal token.
  -h, --help                        help for unseal

Is it possible to add a --skip-tls-verify or similar option to unseal?

The text was updated successfully, but these errors were encountered:

nemosupremo · 2019-09-06T18:57:26Z

Do you mean that Vault's certificate is self-signed?

Edit: Actually I understand now. When the unseal CLI tool talks to gatekeeper, and gatekeeper's cert in self-signed, you get this error and you need a --skip-tls-verify flag to fix it.

nemosupremo · 2019-09-06T19:06:33Z

I've added a fix; I'll close this issue out when I create a new release.

nemosupremo · 2019-09-09T20:41:02Z

Also, you could just unseal with curl

$ curl --insecure -X POST -H "Content-Type: application/json" -d'{"method":"approle", "role_id":"foo", "secret_id":"bar"}' https://localhost:9201/unseal

nemosupremo closed this as completed in db8593c Sep 6, 2019

nemosupremo reopened this Sep 6, 2019

nemosupremo closed this as completed Nov 13, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unseal fails with self-signed cert #79

Unseal fails with self-signed cert #79

cookandy commented Sep 3, 2019

nemosupremo commented Sep 6, 2019 •

edited

Loading

nemosupremo commented Sep 6, 2019

nemosupremo commented Sep 9, 2019 •

edited

Loading

Unseal fails with self-signed cert #79

Unseal fails with self-signed cert #79

Comments

cookandy commented Sep 3, 2019

nemosupremo commented Sep 6, 2019 • edited Loading

nemosupremo commented Sep 6, 2019

nemosupremo commented Sep 9, 2019 • edited Loading

nemosupremo commented Sep 6, 2019 •

edited

Loading

nemosupremo commented Sep 9, 2019 •

edited

Loading