I have just built a vault server that works correctly but at each connection on the webui, I am asked to validate a certificate:
Do you know why I have this message? Is it possible to bypass this problem?
For information, I use a wildcard certificate *.mydomain.com.
Best regards,
M.
Vault supports mutual TLS by default. Vault asks that you present your own certificate to authenticate and continues with other authentication methods if no client certificate is provided.
You can turn it off by setting tls_disable_client_certs = true in your server's configuration, under the tcp stanza (restart required).
You can find more details in this knowledge based article by @Zam.
Fixing this issue involves making a tweak to your TCP listener's config stanza. For the TCP listener, Vault includes a parameter called tls_disable_client_certs which allows you to toggle this functionality. By default, the value of this parameter is false and Vault will request client certificates when available.
To disable this behavior, simply update the TCP listener stanza in your Vault configuration file to include the following line.
tls_disable_client_certs = "true"
Below is an example of how this would look in a Vault configuration file.
...
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/vault-cert.crt"
tls_key_file = "/opt/vault/tls/vault-key.key"
tls_client_ca_file = "/opt/vault/tls/vault-ca.crt"
tls_disable_client_certs = "true"
}
...
If you'd like to read more, I wrote a knowledge base article detailing how to handle this.
Thank you for your answers.
By adding this line:
tls_disable_client_certs = true
I don't have to submit a certificate anymore.
Best regards,
M.