Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS failed to verify certificate #260

Open
jascsch opened this issue Apr 18, 2024 · 4 comments
Open

TLS failed to verify certificate #260

jascsch opened this issue Apr 18, 2024 · 4 comments

Comments

@jascsch
Copy link

jascsch commented Apr 18, 2024

Hi all,

we are facing issues with tls cert validation. The error message is:
Could not create API client for Vault","error":"Put \"https://xxx/v1/auth/xxx/login\": tls: failed to verify certificate: x509: certificate signed by unknown authority

Is there any workaround for this kind of issue?
What we already tried to do:

  • set VAULT_SKIP_VERIFY to true --> does not work
  • mount ca.pem with root ca and intermediates from hcvault.app.corpintra.net as k8s secret to /etc/vault-secrets-operator --> does not work, either
@ricoberger
Copy link
Owner

Hi @jascsch, normally the VAULT_SKIP_VERIFY should work when set as follows in the Helm chart:

environmentVars:
  - name: VAULT_SKIP_VERIFY
    value: "true"

When you mounted the certificate, did you also set the VAULT_CACERT or VAULT_CAPATH environment variables as mentioned here #91 (comment)?

@Obladio
Copy link

Obladio commented Apr 18, 2024

Hi there,

is set. logs stays at following:

{"level":"info","ts":"2024-04-18T09:48:24Z","logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":0}

Is there a way to set a log level or anything more verbose? May as additional info. We use kubernetes as auth method. When using token based auth it works.

@ricoberger
Copy link
Owner

You can try to decrease the log level as follows, but I'm not sure if this will provide more output:

args:
  - -leader-elect
  - -zap-log-level=debug

Normally the logs should be looking similar to the following:

{"level":"info","ts":"2024-04-18T13:20:19Z","logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":300}
{"level":"info","ts":"2024-04-18T13:20:20Z","logger":"vault","msg":"Renew Vault token"}
{"level":"info","ts":"2024-04-18T13:20:20Z","logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":"2024-04-18T13:20:20Z","logger":"setup","msg":"starting manager"}
{"level":"info","ts":"2024-04-18T13:20:20Z","msg":"Starting server","kind":"health probe","addr":"[::]:8081"}
{"level":"info","ts":"2024-04-18T13:20:20Z","msg":"starting server","path":"/metrics","kind":"metrics","addr":"[::]:8080"}
I0418 13:20:20.223425       1 leaderelection.go:250] attempting to acquire leader lease vault-secrets-operator/vaultsecretsoperator.ricoberger.de...
I0418 13:20:36.574905       1 leaderelection.go:260] successfully acquired lease vault-secrets-operator/vaultsecretsoperator.ricoberger.de
{"level":"info","ts":"2024-04-18T13:20:36Z","msg":"Starting EventSource","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","source":"kind source: *v1alpha1.VaultSecret"}
{"level":"info","ts":"2024-04-18T13:20:36Z","msg":"Starting EventSource","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","source":"kind source: *v1.Secret"}
{"level":"info","ts":"2024-04-18T13:20:36Z","msg":"Starting Controller","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret"}
{"level":"info","ts":"2024-04-18T13:20:37Z","msg":"Starting workers","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","worker count":1}
{"level":"info","ts":"2024-04-18T13:20:37Z","msg":"Use shared client to get secret from Vault","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","VaultSecret":{"name":"basic-auth-credentials","namespace":"customer-control"},"namespace":"customer-control","name":"basic-auth-credentials","reconcileID":"565ec7d5-3348-4416-88ce-6680ccf3ed2c"}

When the problem only exists with the Kubernetes Auth Method, were the commands from the readme run successfully for the setup: https://github.com/ricoberger/vault-secrets-operator?tab=readme-ov-file#kubernetes-auth-method?

@Obladio
Copy link

Obladio commented Apr 18, 2024

Yes the configuration worked. Unfortunately it doesnt print anything else. It seems a problem with internal network. Thank you anyway for support :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants