Cannot login I/O error on POST request for "https://VAULT_HOST:8200/v1/auth/kubernetes/login"
Opened this issue · 0 comments
Hello, I'm configuring vault-crd version 1.11.0 with vault 1.12.0-1, and several times I tried to update the certificate used in authentication, and the error below persists.
vault-crd org.springframework.vault.authentication.VaultLoginException: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://VAULT_HOST:8200/v1/auth/kubernetes/login": PKIX path building failed: sun.security.provider.certpa ││ th.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The process I'm running is the KeyStore import with my certificates that are stored in the k8s secret, as shown in the example below.
apiVersion: v1
kind: Secret
metadata:
name: root-ca
type: Opaque
data:
root-ca.pem: valid-base64-certificate
This certificate is self-signed and created using terraform. Below when I extract the certificate with the command
openssl x509 -noout -in vault.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
SERIAL_NUMBER
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BR, ST = SAo-Paulo, L = Campinas, O = CONTOSO, OU = IT, CN = INTERMEDIATE_CN
Validity
Not Before: Oct 27 23:59:43 2022 GMT
Not After : Oct 26 23:59:43 2025 GMT
Subject: C = BR, ST = Sao-Paulo, L = campinas, O = CONTOSO, OU = IT, CN = ROOT_CN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
Exponent: (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:
X509v3 Subject Alternative Name:
DNS:PRIVATE_DNS_HOSTNAME, DNS:localhost, IP Address:127.0.0.1, IP Address:INTERNAL_IP
Signature Algorithm:
The vault service is live and follows the entire process of the tutorial below.
https://vault.koudingspawn.de/install-vault-crd/self-signed-certificates
Even though every process is running successfully, the problem persists. Could you please help me?
Vault Version: vault/bionic,now 1.12.0-1 amd64
SO Version: 18.04.6 LTS (Bionic Beaver)
Vault CRD: 1.11
EKS: v1.22.13-eks-15b7512
The service account, cluster role, cluster role binding, was created from the link below:
https://raw.githubusercontent.com/DaspawnW/vault-crd/master/deploy/rbac.yaml
Deployment YAML:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: vault-crd
name: vault-crd
namespace: default
spec:
selector:
matchLabels:
app: vault-crd
replicas: 1
template:
metadata:
labels:
app: vault-crd
spec:
initContainers:
- name: cert-import
image: openjdk:8
command:
- /bin/bash
args:
- -c
- keytool -importcert -noprompt -trustcacerts -alias root-ca -file /certs/root-ca.pem -keystore /etc/ssl/certs/java/cacerts -storepass changeit &&
keytool -importcert -noprompt -trustcacerts -alias int-ca -file /certs/int-ca.pem -keystore /etc/ssl/certs/java/cacerts -storepass changeit
volumeMounts:
- mountPath: /certs
name: vault-certs
readOnly: true
- mountPath: /etc/ssl/certs/java
name: cacerts
serviceAccountName: vault-auth-develop
serviceAccount: vault-auth-develop
containers:
- name: vault-crd
image: daspawnw/vault-crd:1.11.0
env:
- name: KUBERNETES_VAULT_URL
value: https://PRIVATE_DNS_HOSTNAME:8200/v1/
- name: KUBERNETES_VAULT_ROLE
value: develop
- name: KUBERNETES_VAULT_AUTH
value: serviceAccount
- name: KUBERNETES_VAULT_PATH
value: kubernetes-develop
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /certs
name: vault-certs
readOnly: true
- mountPath: /etc/ssl/certs/java
name: cacerts
volumes:
- name: vault-certs
projected:
defaultMode: 420
sources:
- secret:
items:
- key: root-ca.pem
path: root-ca.pem
name: root-ca
- secret:
items:
- key: int-ca.pem
path: int-ca.pem
name: int-ca
- name: cacerts
livenessProbe:
httpGet:
port: 8080
path: "/actuator/health"
scheme: HTTP
initialDelaySeconds: 30
failureThreshold: 3
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
restartPolicy: Always