Issues with Vault running HTTPS

Question

Issues with Vault running HTTPS

Closed this issue 4 years ago · 1 comments

Hi,

My vault is running on a https setup. I dont see any doc related on how to setup vault-crd with accessing vault in https.

Is there any flag which has to be set in the deployment file. Kindly help on the same.

Or is there any native path or trust store in kubernetes where i can upload the vault cert and make the connection working.

Below is the error.

kubectl logs vault-crd-756ffc95bf-vv5jb -n vault-crd

. ____ _ __ _ _
/\ / ' __ _ () __ __ _ \ \ \
( ( )__ | '_ | '| | ' / ` | \ \ \
\/ )| |)| | | | | || (| | ) ) ) )
' || .__|| ||| |_, | / / / /
=========||==============|/=////
:: Spring Boot :: (v2.2.4.RELEASE)

2020-06-08 16:59:44.315 INFO 1 --- [ main] de.koudingspawn.vault.VaultApplication : Starting VaultApplication v0.0.1-SNAPSHOT on vault-crd-756ffc95bf-vv5jb with PID 1 (/opt/vault-crd.jar started by root in /opt)
2020-06-08 16:59:44.319 INFO 1 --- [ main] de.koudingspawn.vault.VaultApplication : No active profile set, falling back to default profiles: default
2020-06-08 16:59:46.423 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2020-06-08 16:59:46.440 INFO 1 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2020-06-08 16:59:46.440 INFO 1 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.30]
2020-06-08 16:59:46.512 INFO 1 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2020-06-08 16:59:46.512 INFO 1 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 2124 ms
2020-06-08 16:59:47.031 INFO 1 --- [ main] o.s.s.c.ThreadPoolTaskScheduler : Initializing ExecutorService 'vaultThreadPoolTaskScheduler'
2020-06-08 16:59:48.820 INFO 1 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 1 endpoint(s) beneath base path '/actuator'
2020-06-08 16:59:48.907 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2020-06-08 16:59:48.914 INFO 1 --- [ main] de.koudingspawn.vault.VaultApplication : Started VaultApplication in 5.197 seconds (JVM running for 5.867)
2020-06-08 16:59:49.061 INFO 1 --- [//10.96.0.1/...] d.koudingspawn.vault.kubernetes.Watcher : Received action: ADDED for sample-vault in namespace default
2020-06-08 16:59:49.212 WARN 1 --- [//10.96.0.1/...] o.s.v.a.LifecycleAwareSessionManager : Cannot enhance VaultToken to a LoginToken: Token self-lookup failed; nested exception is org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://192.168.142.164:8200/v1/auth/token/lookup-self": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2020-06-08 16:59:49.239 ERROR 1 --- [//10.96.0.1/...] d.k.vault.kubernetes.EventHandler : Failed to generate secret for vault resource sample-vault in namespace default failed with exception:

de.koudingspawn.vault.vault.communication.SecretNotAccessibleException: Couldn't communicate with vault
at de.koudingspawn.vault.vault.VaultCommunication.createPki(VaultCommunication.java:55) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.vault.impl.PkiSecretGenerator.generateSecret(PkiSecretGenerator.java:25) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.vault.VaultService.generateSecret(VaultService.java:18) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.kubernetes.EventHandler.addHandler(EventHandler.java:27) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.kubernetes.Watcher$1.eventReceived(Watcher.java:47) [classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.kubernetes.Watcher$1.eventReceived(Watcher.java:40) [classes!/:0.0.1-SNAPSHOT]
at io.fabric8.kubernetes.client.utils.WatcherToggle.eventReceived(WatcherToggle.java:49) [kubernetes-client-4.9.0.jar!/:na]
at io.fabric8.kubernetes.client.dsl.internal.WatchConnectionManager$1.onMessage(WatchConnectionManager.java:237) [kubernetes-client-4.9.0.jar!/:na]
at okhttp3.internal.ws.RealWebSocket.onReadMessage(RealWebSocket.java:322) [okhttp-3.14.6.jar!/:na]
at okhttp3.internal.ws.WebSocketReader.readMessageFrame(WebSocketReader.java:219) [okhttp-3.14.6.jar!/:na]
at okhttp3.internal.ws.WebSocketReader.processNextFrame(WebSocketReader.java:105) [okhttp-3.14.6.jar!/:na]
at okhttp3.internal.ws.RealWebSocket.loopReader(RealWebSocket.java:273) [okhttp-3.14.6.jar!/:na]
at okhttp3.internal.ws.RealWebSocket$1.onResponse(RealWebSocket.java:209) [okhttp-3.14.6.jar!/:na]
at okhttp3.RealCall$AsyncCall.execute(RealCall.java:174) [okhttp-3.14.6.jar!/:na]
at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) [okhttp-3.14.6.jar!/:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_212]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_212]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://192.168.142.164:8200/v1/pki_int/issue/example-dot-com": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:751) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:677) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:421) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at de.koudingspawn.vault.vault.VaultCommunication.lambda$createPki$0(VaultCommunication.java:48) ~[classes!/:0.0.1-SNAPSHOT]
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:466) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at de.koudingspawn.vault.vault.VaultCommunication.createPki(VaultCommunication.java:48) ~[classes!/:0.0.1-SNAPSHOT]
... 17 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Answer 1 · 2020-06-24T21:14:17.000Z

Hey @vigneshkathir,

I created a short tutorial how to use self-signed certificates with Vault-CRD: https://vault.koudingspawn.de/install-vault-crd/self-signed-certificates
I hope this is usefull.

Cheers,
Björn