TLS ERROR with Vault using self-signed certificate
weinix opened this issue · 1 comments
weinix commented
My vault is using self-signed cert and I have followed below:
kubernetes-external-secrets/README.md
Line 658 in 458f39a
Error:
level:50 message_time:2021-12-01T04:53:21.148Z pid:19 hostname:external-secrets-kubernetes-external-secrets-6b9c77644f-mw9vv payload:{err:type:RequestError} payload:{err:message:Error: SSL Error: UNABLE_TO_GET_ISSUER_CERT} payload:{err:stack:RequestError: Error: SSL Error: UNABLE_TO_GET_ISSUER_CERT
at new RequestError (/app/node_modules/request-promise-core/lib/errors.js:14:15)
at Request.plumbing.callback (/app/node_modules/request-promise-core/lib/plumbing.js:87:29)
at Request.RP [as _callback] (/app/node_modules/request-promise-core/lib/plumbing.js:46:31)
at self.callback (/app/node_modules/request/request.js:185:22)
at Request.emit (events.js:400:28)
at Request.emit (domain.js:475:12)
at Request.onRequestResponse (/app/node_modules/request/request.js:948:10)
at ClientRequest.emit (events.js:400:28)
at ClientRequest.emit (domain.js:475:12)
at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)} payload:{err:name:RequestError} payload:{err:cause:type:Error} payload:{err:cause:message:SSL Error: UNABLE_TO_GET_ISSUER_CERT} payload:{err:cause:stack:Error: SSL Error: UNABLE_TO_GET_ISSUER_CERT
at Request.onRequestResponse (/app/node_modules/request/request.js:948:24)
at ClientRequest.emit (events.js:400:28)
at ClientRequest.emit (domain.js:475:12)
at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
at HTTPParser.parserOnHeadersComplete (_http_common.js:127:17)
at TLSSocket.socketOnData (_http_client.js:515:22)
at TLSSocket.emit (events.js:400:28)
at TLSSocket.emit (domain.js:475:12)
at addChunk (internal/streams/readable.js:293:12)
at readableAddChunk (internal/streams/readable.js:267:9)} payload:{err:error:type:Error} payload:{err:error:message:SSL Error: UNABLE_TO_GET_ISSUER_CERT} payload:{err:error:stack:Error: SSL Error: UNABLE_TO_GET_ISSUER_CERT
at Request.onRequestResponse (/app/node_modules/request/request.js:948:24)
at ClientRequest.emit (events.js:400:28)
at ClientRequest.emit (domain.js:475:12)
at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
at HTTPParser.parserOnHeadersComplete (_http_common.js:127:17)
at TLSSocket.socketOnData (_http_client.js:515:22)
at TLSSocket.emit (events.js:400:28)
at TLSSocket.emit (domain.js:475:12)
at addChunk (internal/streams/readable.js:293:12)
at readableAddChunk (internal/streams/readable.js:267:9)} payload:{err:options:json:role:argocd} payload:{err:options:json:jwt:[Redacted]} payload:{err:options:resolveWithFullResponse:true} payload:{err:options:simple:false} payload:{err:options:strictSSL:true} payload:{err:options:followAllRedirects:true} payload:{err:options:method:POST} payload:{err:options:path:/auth/kubernetes/login} payload:{err:options:headers:[Redacted]} payload:{err:options:uri:https://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login} payload:{err:options:transform2xxOnly:false} msg:failure while polling the secret argocd/exsecret1
Inside pod, I verified the correct ca are at the right place
/app $ env | grep NODE
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/ca.pem
NODE_VERSION=14.18.1
NODE_TLS_REJECT_UNAUTHORIZED=0
NODE_ENV=production
/app $ cat /usr/local/share/ca-certificates/ca.pem
<removed>
Can you please advice?
weinix commented
My bad, my vault was not self-signed. It was signed by intermediate CA. I was able to get rid of SSL error with intermediate CA.