Vault: Error loading TLS cert

Created on 27 Sep 2017 · 12Comments · Source: hashicorp/vault

Environment:
EC2 Ubuntu 16.04

Vault Version:
0.8.3

Vault Config File:
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/letsencrypt/live/vault.dropys.com/cert.pem"
tls_key_file = "/etc/letsencrypt/live/vault.dropys.com/fullchain.pem"
}

Startup Log Output:
● vault.service - Spring Vault
Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-09-27 05:01:25 UTC; 1s ago
Process: 16914 ExecStart=/opt/vault/vault server --config=/opt/vault/vault.conf (code=exited, status=1/FAILURE)
Main PID: 16914 (code=exited, status=1/FAILURE)

systemd[1]: Started Spring Vault.
vault[16914]: Error initializing listener of type tcp: error loading TLS cert: tls: failed to find PEM block with type ending in "PRIVATE KEY" in key input after skip
systemd[1]: vault.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: vault.service: Unit entered failed state.
systemd[1]: vault.service: Failed with result 'exit-code'.

Expected Behavior:
I'm trying to run vault with tls enable for https

Actual Behavior:
vault won't start up

Steps to Reproduce:
i created the certs with the following guide: https://www.monterail.com/blog/2017/lets-encrypt-vault-free-ssl-tls-certificate

bug docs versio0.8.x

Source

yarinzimmerman

Most helpful comment

The tutorial is wrong, you're loading the wrong keys.

tls_key_file should be the path of your private key: /etc/letsencrypt/live/vault.dropys.com/privkey.pem
tls_cert_file should be the path of your certificate attached to the certificated used to generate it: /etc/letsencrypt/live/vault.dropys.com/fullchain.pem

Julien00859 on 14 Feb 2018

👍5

All 12 comments

anyone?

yarinzimmerman on 6 Oct 2017

It seems like your PEM files are incorrectly formatted -- perhaps a BEGIN PRIVATE KEY with no corresponding END PRIVATE KEY?

jefferai on 11 Oct 2017

Sorry for the very long delay in response.. i missed your answer's notification.
Well my PEM files look intact... what else should i be looking for?

yarinzimmerman on 12 Dec 2017

Unfortunately I can't tell you much other than what the error is telling you -- it thinks that there is an issue with the PEM files you are giving it.

jefferai on 12 Dec 2017

I see... any chance you know how else i can supply (free) certificates files?

yarinzimmerman on 12 Dec 2017

I couldn't say without seeing your PEM files. There are people using Vault with LE, so whatever the issue is doesn't appear to be common.

jefferai on 12 Dec 2017

The tutorial is wrong, you're loading the wrong keys.

Julien00859 on 14 Feb 2018

👍5

@jefferai I'm having a similar issue.
docker run -v /home/jwahba/PycharmProjects/work/vault:/usr/secrets --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"backend": {"inmem": {}}, "listener": {"tcp":{"address":"127.0.0.1:8200", "tls_disable":"0", "tls_cert_file": "/usr/secrets/cert.crt", "tls_key_file": "/usr/secrets/key.pem"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' vault server

Error initializing listener of type tcp: error loading TLS cert: tls: failed to parse private key

I generated the key and certificate using openssl
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Below how the key.pem looks like:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVQYk/JtSASUCAggA
...Removed lines to save space...
-----END ENCRYPTED PRIVATE KEY-----

joseph-stratoscale on 5 Jun 2018

What version of Vault?

jefferai on 5 Jun 2018

@jefferai I think I got around this error by putting -nodes into my openssl command. I'm getting this error instead.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Error initializing: Put https://127.0.0.1:8200/v1/sys/init: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

I tried as well to put the tls-skip-verify as follows

docker run -v /home/jwahba/PycharmProjects/work/vault:/usr/secrets --cap-add=IPC_LOCK -tls-skip-verify -e 'VAULT_LOCAL_CONFIG={"backend": {"inmem": {}}, "listener": {"tcp":{"address":"127.0.0.1:8200", "tls_disable":"0", "tls_cert_file": "/usr/secrets/cert.pem", "tls_key_file": "/usr/secrets/key.pem"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}, VAULT_SKIP_VERIFY=true, VAULT_ADDR=http://127.0.0.1:8200' vault server

Any idea what could be wrong with this setting ?
I'm using Vault Docker image

joseph-stratoscale on 5 Jun 2018

👍1

so how to solve this?

LBoraz on 25 Nov 2019

Hi there!

The solution is to add an IP Subject Alternate name (if you intend to connect via an IP) or the CN in the subject field (if you intend to connect via DNS) to your self-signed certificate.

I will close this issue now since the original owner is inactive for quite a while. Don't hesitate to open a new issue if this is still a problem for you.

Cheers,
Michel