Can't use TLS auth due to tls_disable = 1
Opened this issue · 1 comments
ksandrmatveyev commented
Hi,
As this module use doesn't use tls it is not possible to use TLS authentication. There is an error:
tls connection is required
Step to reproduce:
- Provision Vault from the module
- Enable TLS auth
- Make some tests (add secret, policy and cert), e.g.:
# With Powershell on Windows
$vaulturl = "https://example.com"
$certpath = "Subject of a client cert in Windows Store"
$secret = "secret/test/test"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$cert.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$result = $cert.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindBySubjectDistinguishedName, $certpath, $false)
$cert.Close()
json = (Invoke-WebRequest -Uri "$vaulturl/v1/auth/cert/login" -Method 'POST' -Certificate $result[0] -UseBasicParsing).Content | ConvertFrom-Json
(Invoke-WebRequest -Headers @{"X-Vault-Token" = $json.auth.client_token} -ContentType "application/json" -Method 'GET' -Uri "$vaulturl/v1/$secret" -UseBasicParsing).Content
- And the error is:
tls connection is required
pdomineaux commented
Hi, I'm facing the same issue.
I guess that the SSL termination is on load balancer so Vault is in fact not in full TLS as the communication between the LoadBalancer and the Vault Cluster is unencrypted.
Does anyone get a solution or workaround ?
This deployment is mostly up to date and fill all requirements to get a production ready vault cluster.
I hope I will not have to switch to another solution to deploy my cluster.