0

I am trying to use HashiCorp Vault using Spring Cloud Vault on Spring Boot project. I configured my bootstrap.yml file to use app role and secret id to get passwords

bootstrap.yml

spring:
  application:
    name: pres
  cloud:
    vault:
      authentication: APPROLE
      app-role:
        role-id: ${role-id}
        secret-id: ${secret-id}
        role: pres-read
        app-role-path: approle
      uri: https://hostname:8200
      kv:
        enabled: true
        backend: secret
        application-name: pres
  profiles:
    include: dev

During startup I get the following exception

org.springframework.vault.authentication.VaultLoginException: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://hostname:8200/v1/auth/approle/login": extension (5) should not be presented in certificate_request; nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request

I am using spring-cloud-starter-vault-config dependency to access the vault

 <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-vault-config</artifactId>
            <version> 2.2.2.RELEASE</version>
 </dependency>
Pavan Jadda
  • 4,306
  • 9
  • 47
  • 79
  • Which Vault version are you on? Found this similar sounding issue on github https://github.com/hashicorp/vault/issues/8750 - but not much activity going on in the issue – kgorskowski May 18 '20 at 15:03
  • @kgorskowski updated the post – Pavan Jadda May 18 '20 at 15:07
  • Hi, I did some basic read up, the problem seems to be the tls negotiation between java and golang (vault) - there is more information on that https://github.com/golang/go/issues/35722 sorry but I am out of my waters in this topic. Better check the versions of your components for issues/bug reports regarding this matter – kgorskowski May 18 '20 at 15:10
  • @kgorskowski Thanks for the link. I followed workaround from here https://github.com/golang/go/issues/35722#issuecomment-571173416 and it works. – Pavan Jadda May 18 '20 at 16:05

1 Answers1

3

Okay. It looks like this is a Java TLS Bug, hoping java team will fix this in Java 11.0.8.

Update: The issue was fixed in latest Java 11 versions

Pavan Jadda
  • 4,306
  • 9
  • 47
  • 79
  • did you find solution? – sherybedrock Sep 16 '20 at 11:00
  • 2
    It was bug in Java 11.0.7 version. Latest version of the Java fixed it. You can also use TLS 1.2 using the argument -Djdk.tls.client.protocols. Sample: `java -jar -Djdk.tls.client.protocols=TLSv1.2 app.jar ` – Pavan Jadda Sep 16 '20 at 15:21