When configuring a Vault storage backend for TLS and providing the parameter value for specifying a Certificate Authority (CA) certificate for validation, it is important to ensure that this certificate is of the X509 PEM encoded format.
Here is an example scenario where the certificate is provided in the incorrect format when configuring the Vault LDAP auth backend.
First, configure the backend:
$ vault write auth/ldap/config \
url="ldaps://ldaps.taco.example.com" \
userattr="samAccountName" \
userdn="OU=_USERS,OU=EXAMPLE_USERS,DC=TACO,DC=example,DC=com" \
groupdn="OU=_GROUPS,OU=EXAMPLE_WIDGETS*,DC=TACO,DC=example,DC=com" \
upndomain="TACO.example.com" \
insecure_tls=false \
starttls=true \
certificate=@ldaps_taco_example_com.crtThe certificate file provided, ldaps_taco_example_com.crt is actually DER formatted, so when we attempt to make use of it, we will encounter an error from Vault:
$ vault auth -method=ldap username=macy
Password (will be hidden):
Error making API request.
URL: PUT https://vault.taco.example.com:8200/v1/auth/ldap/login/macy
Code: 400. Errors:
* 1 error occurred:
* error connecting to host "ldaps://ldaps.taco.example.com": could not append CA certificateOne means to verify the issue is by examining the backend configuration. If the certificate is properly formatted, its contents will appear as the value for certificate when we read the backend configuration, like this:
$ vault read auth/ldap/config
Key Value
--- -----
binddn
bindpass
certificate -----BEGIN CERTIFICATE-----
a2VuZ2luZWVyLm5ldIIjc2UxcHBpZnNhZGMwNS5hZHBwLmFkc2tlbmdpbmVlci5u
ZXSCI2xvbnBwaWZzYWRjMDEuYWRwcC5hZHNrZW5naW5lZXIubmV0giNsb25wcGlm
c2FkYzAyLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjbG9ucHBpZnNhZGMwMy5hZHBw
LmFkc2tlbmdpbmVlci5uZXSCI2xvbnBwaWZzYWRjMDQuYWRwcC5hZHNrZW5naW5l
ZXIubmV0giNsb25wcGlmc2FkYzA1LmFkcHAuYWRza2VuZ2luZWVyLm5ldDAdBgNV
HQ4EFgQUC3zuxf16uRcu2pndccBmlcaGCpQwDQYJKoZIhvcNAQEFBQADggEBAGOw
J1CuWpWC0vCPTTuC/9Tnh3YC8DMAj3QGTiWossuvTN8M1HTi4K0rZ5XIvQzElC5U
NpxvHi4zWX0EfcXJhQI7CoaoQvgyYPmaEFmeceXa1ntDYINCzfWZKYboyn6P57Bo
Fe4ssb9xh3+iadhQJjV0q06kwUenjGJ7a8oEadBxcHs1pKIZqYZB7TICNCC3c+n8
ocwnVxZCwshRUzjBch7u962OIm+5+i5f73ujk2Hc/Y4rOkBN6neCKQk7cr0YZDlb
MIINijCCDHKgAwIBAgIQPH0FLkAdwKRG0+JRS1NwMjANBgkqhkiG9w0BAQUFADAm
MSQwIgYDVQQDDBtsZGFwcy5hZHBwLmFkc2tlbmdpbmVlci5uZXQwHhcNMTYwOTE4
MTU1OTEwWhcNMzYwOTE5MTU1OTEwWjAmMSQwIgYDVQQDDBtsZGFwcy5hZHBwLmFk
c2tlbmdpbmVlci5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0
TeSpru2ASQ+8h9vAP0IXGfsh15gq9pCOiE5EUD9/wXD/fty1C90PrTEdfllaTLZ3
CpuwbM8iE03hN/fZpVUsDpzvh6fNBtvsR2MuzFUcRbNZWoo+9LDizB4B7QHcmI7N
29yPRQuVq2MLLnVpEPuu58DcAr1fmc5rwWc8QellUY85ObX7bwsrIl463wwkUTH8
TUeUYoF4S4ENTvdckUwRoKA8/eEaa8uUzS7AkkBSiesMuUtIqAoQd1I0KsETe9MA
gY34rADU4kj45OopD2igq45r8oYJN56kYzYTjYgCxqAXwm1d82mMt7d2Owb86nWo
wbnZzARCz23i5phnax13AgMBAAGjggqyMIIKrjAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMIIKXAYDVR0RBIIKUzCCCk+CG2xk
YXBzLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjZGNhcHBpZnNhZGMwMS5hZHBwLmFk
cHAuYWRza2VuZ2luZWVyLm5ldIIjc2pjcHBpZnNhZGMwNC5hZHBwLmFkc2tlbmdp
bmVlci5uZXSCI3NqY3BwaWZzYWRjMDUuYWRwcC5hZHNrZW5naW5lZXIubmV0giNl
dzFwcGlmc2FkYzAxLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjZXcxcHBpZnNhZGMw
Mi5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI2V3MXBwaWZzYWRjMDMuYWRwcC5hZHNr
ZW5naW5lZXIubmV0giNldzFwcGlmc2FkYzA0LmFkcHAuYWRza2VuZ2luZWVyLm5l
dIIjZXcxcHBpZnNhZGMwNS5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI3V3MnBwaWZz
YWRjMDEuYWRwcC5hZHNrZW5naW5lZXIubmV0giN1dzJwcGlmc2FkYzAyLmFkcHAu
YWRza2VuZ2luZWVyLm5ldIIjdXcycHBpZnNhZGMwMy5hZHBwLmFkc2tlbmdpbmVl
ci5uZXSCI3V3MnBwaWZzYWRjMDQuYWRwcC5hZHNrZW5naW5lZXIubmV0giN1dzJw
cGlmc2FkYzA1LmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjZWMxcHBpZnNhZGMwMS5h
ZHBwLmFkc2tlbmdpbmVlci5uZXSCI2VjMXBwaWZzYWRjMDIuYWRwcC5hZHNrZW5n
aW5lZXIubmV0giNlYzFwcGlmc2FkYzAzLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIj
ZWMxcHBpZnNhZGMwNC5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI2VjMXBwaWZzYWRj
MDUuYWRwcC5hZHNrZW5naW5lZXIubmV0giRhc2UxcHBpZnNhZGMwMS5hZHBwLmFk
c2tlbmdpbmVlci5uZXSCJGFzZTFwcGlmc2FkYzAyLmFkcHAuYWRza2VuZ2luZWVy
Lm5ldIIkYXNlMXBwaWZzYWRjMDMuYWRwcC5hZHNrZW5naW5lZXIubmV0giRhc2Ux
cHBpZnNhZGMwNC5hZHBwLmFkc2tlbmdpbmVlci5uZXSCJGFzZTFwcGlmc2FkYzA1
LmFkcHAuYWRza2VuZ2luZWVyLm5ldIIkYW5lMXBwaWZzYWRjMDEuYWRwcC5hZHNr
ZW5naW5lZXIubmV0giRhbmUxcHBpZnNhZGMwMi5hZHBwLmFkc2tlbmdpbmVlci5u
ZXSCJGFuZTFwcGlmc2FkYzAzLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIkYW5lMXBw
aWZzYWRjMDQuYWRwcC5hZHNrZW5naW5lZXIubmV0giRhbmUxcHBpZnNhZGMwNS5h
ZHBwLmFkc2tlbmdpbmVlci5uZXSCJGFzZTJwcGlmc2FkYzAxLmFkcHAuYWRza2Vu
Z2luZWVyLm5ldIIkYXNlMnBwaWZzYWRjMDIuYWRwcC5hZHNrZW5naW5lZXIubmV0
c2tlbmdpbmVlci5uZXSCI2RjYXBwaWZzYWRjMDIuYWRwcC5hZHNrZW5naW5lZXIu
bmV0giNkY2FwcGlmc2FkYzAzLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjZGNhcHBp
ZnNhZGMwNC5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI2RjYXBwaWZzYWRjMDUuYWRw
cC5hZHNrZW5naW5lZXIubmV0giN1ZTFwcGlmc2FkYzAxLmFkcHAuYWRza2VuZ2lu
ZWVyLm5ldIIjdWUxcHBpZnNhZGMwMi5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI3Vl
MXBwaWZzYWRjMDMuYWRwcC5hZHNrZW5naW5lZXIubmV0giN1ZTFwcGlmc2FkYzA0
LmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjdWUxcHBpZnNhZGMwNS5hZHBwLmFkc2tl
bmdpbmVlci5uZXSCI3V3MXBwaWZzYWRjMDEuYWRwcC5hZHNrZW5naW5lZXIubmV0
giN1dzFwcGlmc2FkYzAyLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjdXcxcHBpZnNh
ZGMwMy5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI3V3MXBwaWZzYWRjMDQuYWRwcC5h
ZHNrZW5naW5lZXIubmV0giN1dzFwcGlmc2FkYzA1LmFkcHAuYWRza2VuZ2luZWVy
Lm5ldIIjc2pjcHBpZnNhZGMwMS5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI3NqY3Bw
aWZzYWRjMDIuYWRwcC5hZHNrZW5naW5lZXIubmV0giNzamNwcGlmc2FkYzAzLmFk
giRhc2UycHBpZnNhZGMwMy5hZHBwLmFkc2tlbmdpbmVlci5uZXSCJGFzZTJwcGlm
c2FkYzA0LmFkcHAuYWRza2VuZ2luZWVyLm5ldIIkYXNlMnBwaWZzYWRjMDUuYWRw
cC5hZHNrZW5naW5lZXIubmV0giRhbmUycHBpZnNhZGMwMS5hZHBwLmFkc2tlbmdp
bmVlci5uZXSCJGFuZTJwcGlmc2FkYzAyLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIk
YW5lMnBwaWZzYWRjMDMuYWRwcC5hZHNrZW5naW5lZXIubmV0giRhbmUycHBpZnNh
ZGMwNC5hZHBwLmFkc2tlbmdpbmVlci5uZXSCJGFuZTJwcGlmc2FkYzA1LmFkcHAu
YWRza2VuZ2luZWVyLm5ldIIjYXMxcHBpZnNhZGMwMS5hZHBwLmFkc2tlbmdpbmVl
ci5uZXSCI2FzMXBwaWZzYWRjMDIuYWRwcC5hZHNrZW5naW5lZXIubmV0giNhczFw
cGlmc2FkYzAzLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIjYXMxcHBpZnNhZGMwNC5h
ZHBwLmFkc2tlbmdpbmVlci5uZXSCI2FzMXBwaWZzYWRjMDUuYWRwcC5hZHNrZW5n
aW5lZXIubmV0giNzZTFwcGlmc2FkYzAxLmFkcHAuYWRza2VuZ2luZWVyLm5ldIIj
c2UxcHBpZnNhZGMwMi5hZHBwLmFkc2tlbmdpbmVlci5uZXSCI3NlMXBwaWZzYWRj
MDMuYWRwcC5hZHNrZW5naW5lZXIubmV0giNzZTFwcGlmc2FkYzA0LmFkcHAuYWRz
6NnikmDz/6W9nqeLmWaY8uc/x8khF4g6an8q/Thtx5SIZIHwdCoZDdHjmm2HnDCc
TqDu+o7IWOG5LCQCt6E=
-----END CERTIFICATE-----
deny_null_bind true
discoverdn false
groupattr cn
groupdn OU=_GROUPS,OU=EXAMPLE_WIDGETS*,DC=TACO,DC=example,DC=com
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls false
starttls true
tls_max_version tls12
tls_min_version tls12
upndomain TACO.example.com
url ldaps://ldaps.taco.example.com
userattr samaccountname
userdn OU=_USERS,OU=EXAMPLE_USERS,DC=TACO,DC=example,DC=comAs you can can observe in the example output, our certificate is present as the value of the certificate parameter. If you use an improperly formatted certificate, then the value of certificate will be empty when you read the backend configuration, as in this example:
$ vault read auth/ldap/config
Key Value
--- -----
binddn
bindpass
certificate
deny_null_bind true
discoverdn false
groupattr cn
groupdn OU=_GROUPS,OU=EXAMPLE_WIDGETS*,DC=TACO,DC=example,DC=com
groupfilter (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls false
starttls true
tls_max_version tls12
tls_min_version tls12
upndomain TACO.example.com
url ldaps://ldaps.taco.example.com
userattr samaccountname
userdn OU=_USERS,OU=EXAMPLE_USERS,DC=TACO,DC=example,DC=comIf you encounter a could not append CA certificate style error when attempting to authenticate with a TLS configured backend, the first step you should take in troubleshooting is to read/examine the backend configuration; make sure the certificate value is present and not empty.
If the certificate is improperly formatted, it can be either be exported in the proper format, or you can convert it with the openssl utility. For example, here is what the command line for converting a DER formatted certificate into PEM formatted looks like:
openssl x509 \
-inform der \
-in ldaps_taco_example_com.crt \
-out ldaps_taco_example_com.pem