Cannot login I/O error on POST request for "https://VAULT_HOST:8200/v1/auth/kubernetes/login"

Question

Cannot login I/O error on POST request for "https://VAULT_HOST:8200/v1/auth/kubernetes/login"

Opened this issue 2 years ago · 0 comments

Hello, I'm configuring vault-crd version 1.11.0 with vault 1.12.0-1, and several times I tried to update the certificate used in authentication, and the error below persists.

vault-crd org.springframework.vault.authentication.VaultLoginException: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://VAULT_HOST:8200/v1/auth/kubernetes/login": PKIX path building failed: sun.security.provider.certpa ││ th.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The process I'm running is the KeyStore import with my certificates that are stored in the k8s secret, as shown in the example below.

apiVersion: v1
kind: Secret
metadata:
  name: root-ca
type: Opaque
data:
  root-ca.pem: valid-base64-certificate

This certificate is self-signed and created using terraform. Below when I extract the certificate with the command

openssl x509 -noout -in vault.crt -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            SERIAL_NUMBER
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BR, ST = SAo-Paulo, L = Campinas, O = CONTOSO, OU = IT, CN = INTERMEDIATE_CN
        Validity
            Not Before: Oct 27 23:59:43 2022 GMT
            Not After : Oct 26 23:59:43 2025 GMT
        Subject: C = BR, ST = Sao-Paulo, L = campinas, O = CONTOSO, OU = IT, CN = ROOT_CN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:

                Exponent: (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:

            X509v3 Subject Alternative Name:
                DNS:PRIVATE_DNS_HOSTNAME, DNS:localhost, IP Address:127.0.0.1, IP Address:INTERNAL_IP
    Signature Algorithm:

The vault service is live and follows the entire process of the tutorial below.

https://vault.koudingspawn.de/install-vault-crd/self-signed-certificates

Even though every process is running successfully, the problem persists. Could you please help me?

Vault Version: vault/bionic,now 1.12.0-1 amd64
SO Version: 18.04.6 LTS (Bionic Beaver)
Vault CRD: 1.11
EKS: v1.22.13-eks-15b7512

The service account, cluster role, cluster role binding, was created from the link below:

https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml

Deployment YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: vault-crd
  name: vault-crd
  namespace: default
spec:
  selector:
    matchLabels:
      app: vault-crd
  replicas: 1
  template:
    metadata:
      labels:
        app: vault-crd
    spec:
      initContainers:
        - name: cert-import
          image: openjdk:8
          command:
            - /bin/bash
          args:
            - -c
            - keytool -importcert -noprompt -trustcacerts -alias root-ca -file /certs/root-ca.pem -keystore /etc/ssl/certs/java/cacerts -storepass changeit &&
              keytool -importcert -noprompt -trustcacerts -alias int-ca -file /certs/int-ca.pem -keystore /etc/ssl/certs/java/cacerts -storepass changeit
          volumeMounts:
          - mountPath: /certs
            name: vault-certs
            readOnly: true
          - mountPath: /etc/ssl/certs/java
            name: cacerts
      serviceAccountName: vault-auth-develop
      serviceAccount: vault-auth-develop
      containers:
      - name: vault-crd
        image: daspawnw/vault-crd:1.11.0
        env:
        - name: KUBERNETES_VAULT_URL
          value: https://PRIVATE_DNS_HOSTNAME:8200/v1/
        - name: KUBERNETES_VAULT_ROLE
          value: develop
        - name: KUBERNETES_VAULT_AUTH
          value: serviceAccount
        - name: KUBERNETES_VAULT_PATH
          value: kubernetes-develop
        ports:
          - containerPort: 8080
        volumeMounts:
        - mountPath: /certs
          name: vault-certs
          readOnly: true
        - mountPath: /etc/ssl/certs/java
          name: cacerts
      volumes:
        - name: vault-certs
          projected:
            defaultMode: 420
            sources:
            - secret:
                items:
                - key: root-ca.pem
                  path: root-ca.pem
                name: root-ca
            - secret:
                items:
                - key: int-ca.pem
                  path: int-ca.pem
                name: int-ca
        - name: cacerts 
        livenessProbe:
          httpGet:
            port: 8080
            path: "/actuator/health"
            scheme: HTTP
          initialDelaySeconds: 30
          failureThreshold: 3
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 5
      restartPolicy: Always