I am trying to get the Hashicorp Vault UI to use HTTPS. I have a certificate from Godaddy which works on the same machine in apache2.
My vault.hcl file looks as follows
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/123xxx321.crt"
tls_key_file = "/godaddy_certs/privatekey.key"
tls_disable = "false"
}
However I read here that I cannot simply use the certificate that was provided by Godaddy. That reference say the following:
To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.
Now I am assuming that the "primary certificate" referred to here is the 123xxx321.crt file that was provided from Godaddy. Godaddy also include a gd_bundle-g2-g1.crt file.
So I thought I could just create a new file called myVaultCert.crt and copy the PEM string from 123xxx321.crt which looks like this:
-----BEGIN CERTIFICATE-----
MIIG ... /0I=
-----END CERTIFICATE-----
into the top position and then afterwards copy the PEM string from the gd_bundle-g2-g1.crt file.
So myVaultCert.crt now looks something like
-----BEGIN CERTIFICATE-----
MIIG36F ... /0I=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADC ... v08=
-----END CERTIFICATE-----
I change my vault.hcl config to look as follows:
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/myVaultCert.crt"
tls_key_file = "/godaddy_certs/privatekey.key"
tls_disable = "false"
}
When I run sudo systemctl start vault.service I get the following returned:
Job for vault.service failed because the control process exited with error code. See "systemctl status vault.service" and "journalctl -xe" for details.
When I check journalctl -xe I see this
Error initializing listener of type tcp: error loading TLS cert: decoded PEM is blank
So I went to Godaddy and saw there is a repository with links to root certificates and bundles etc etc. I have tried to copy the certificate that was provided folowed by several Certificates found in that repository but they all give me the same error.
What certificates must I concatenate so that I can use a Godaddy certificate with Hashicorp Vault?
I have looked at these questions alrady but they do not seem to have the same issue as what I am experiencing. 64697238 | 48791816
error loading TLS cert: decoded PEM is blank
is completly missleading. The problem was actually with my privatekey.key.
This is what I did to get Vault to work using a godaddy certificate.
cat 123xxx321.crt gd_bundle-g2-g1.crt > myCert.crt
The 4th certificate in this file is redundant - as it is a self-signed root certificate, so cannot link trust from one CA to another. Including it is not harmful, but does make every TLS connection setup slightly longer for no benefit. 5. I copied the text out of the generated-private-key.txt file that was provided from Godaddy and pasted it into a myPrivateKey.pem file. 6. I change my vault.hcl file to look as follows:
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/godaddy_certs/myCert.crt"
tls_key_file = "/godaddy_certs/myPrivateKey.pem"
tls_disable_client_certs = "true" # <-- Still checking if this is necessary
}
sudo systemctl start vault.serviceViola! ... It started with no errors. I was able to browse to the correct url and I can see that it is secured by Godaddy.
Hope this helps someone. I know I will need to refer to it in the future again!