K
Q

Hasicorp Vault TLS kubernetes certificates setup

11/18/2020

I have a 3 node Vault cluster with a 3 node Consul backend running in a AKS V1.19.3 cluster. There are no services exposing this cluster to the outside world as I have no need for access outside this cluster, hence I have a single ClusterIP Service named vault in namespace vault defined. I have no problem to port-forward to this service and creating all my secret, transit, policies and appRole definitions in the cluster but when I try to connect to the cluster from my backend service, with approlelogin, I am getting the following error

2020-11-18T05:07:17.179653680Z error loging in approle RequestError: Error: unable to verify the first certificate
2020-11-18T05:07:17.179668980Z     at new RequestError (/node_modules/request-promise-core/lib/errors.js:14:15)
2020-11-18T05:07:17.179672780Z     at Request.plumbing.callback (/node_modules/request-promise-core/lib/plumbing.js:87:29)
2020-11-18T05:07:17.179676280Z     at Request.RP$callback [as _callback] (/node_modules/request-promise-core/lib/plumbing.js:46:31)
2020-11-18T05:07:17.179680980Z     at self.callback (/node_modules/request/request.js:185:22)
2020-11-18T05:07:17.179684380Z     at Request.emit (events.js:314:20)
2020-11-18T05:07:17.179687480Z     at Request.onRequestError (/node_modules/request/request.js:881:8)
2020-11-18T05:07:17.179690680Z     at ClientRequest.emit (events.js:314:20)
2020-11-18T05:07:17.179693880Z     at TLSSocket.socketErrorListener (_http_client.js:469:9)
2020-11-18T05:07:17.179697380Z     at TLSSocket.emit (events.js:314:20)
2020-11-18T05:07:17.179700280Z     at emitErrorNT (internal/streams/destroy.js:100:8)
2020-11-18T05:07:17.179703280Z     at emitErrorCloseNT (internal/streams/destroy.js:68:3)
2020-11-18T05:07:17.179706280Z     at processTicksAndRejections (internal/process/task_queues.js:80:21) {
2020-11-18T05:07:17.179709380Z   cause: Error: unable to verify the first certificate
2020-11-18T05:07:17.179712380Z       at TLSSocket.onConnectSecure (_tls_wrap.js:1498:34)
2020-11-18T05:07:17.179715380Z       at TLSSocket.emit (events.js:314:20)
2020-11-18T05:07:17.179729980Z       at TLSSocket._finishInit (_tls_wrap.js:933:8)
2020-11-18T05:07:17.179734180Z       at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:707:12)
2020-11-18T05:07:17.179737280Z       at TLSWrap.callbackTrampoline (internal/async_hooks.js:123:14) {
2020-11-18T05:07:17.179740280Z     code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
2020-11-18T05:07:17.179743280Z   },
2020-11-18T05:07:17.179746380Z   error: Error: unable to verify the first certificate
2020-11-18T05:07:17.179749380Z       at TLSSocket.onConnectSecure (_tls_wrap.js:1498:34)
2020-11-18T05:07:17.179752380Z       at TLSSocket.emit (events.js:314:20)
2020-11-18T05:07:17.179755280Z       at TLSSocket._finishInit (_tls_wrap.js:933:8)
2020-11-18T05:07:17.179758380Z       at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:707:12)
2020-11-18T05:07:17.179761480Z       at TLSWrap.callbackTrampoline (internal/async_hooks.js:123:14) {
2020-11-18T05:07:17.179766280Z     code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
2020-11-18T05:07:17.179769380Z   },
2020-11-18T05:07:17.179772480Z   options: {
2020-11-18T05:07:17.179775380Z     json: {
2020-11-18T05:07:17.179778280Z       role_id: '7f232329-51d4-eafc-b968-6a44a2506e74',
2020-11-18T05:07:17.179781280Z       secret_id: '17fd2652-74b0-eb74-db58-44f42e9cf122'
2020-11-18T05:07:17.179813580Z     },
2020-11-18T05:07:17.179818180Z     resolveWithFullResponse: true,
2020-11-18T05:07:17.179821180Z     simple: false,
2020-11-18T05:07:17.179824180Z     strictSSL: true,
2020-11-18T05:07:17.179827180Z     method: 'POST',
2020-11-18T05:07:17.179830180Z     path: '/auth/approle/login',
2020-11-18T05:07:17.179833280Z     headers: {},
2020-11-18T05:07:17.179836280Z     uri: 'https://vault.vault.svc.cluster.local:8200/v1/auth/approle/login',
2020-11-18T05:07:17.179839480Z     callback: [Function: RP$callback],
2020-11-18T05:07:17.179843280Z     transform: undefined,
2020-11-18T05:07:17.179846380Z     transform2xxOnly: false
2020-11-18T05:07:17.179849380Z   },
2020-11-18T05:07:17.179852380Z   response: undefined
2020-11-18T05:07:17.179855380Z }

I am assuming this is a problem with my ca.cert, used to sign my self signed certificates, not being recognised. I have this code running locally on my mac in a rancher k3s cluster but I used the Kubernetes CSR to sign my certs (signer: kubernetes.io/kubelet-serving) and I used the ca for this signing authority. I would prefer to go this method and have kubernetes manage the certificate renewals but I dont know where to get this CA cert from in Azure (or whether this is a good practice anyway). Any help to resolve this problem would be greatly appreciated.

-- Jamie
azure
kubernetes
node.js
ssl

Similar Questions

How to create multi container pod from without yaml config of pod or deployment
Templating language and helm
Restrict Metricbeats Postgresql module logging to single database
Network Policy Ingress is not working after sidecar injection
CloudRun: Debug authentication error from curl

0 Answers