Error Unwrapping Secondary Token x509 Certificate signed by Unknown Authority

Introduction

Problem

The following error is received upon attempting to setup DR Secondary replication:

vaultdr2:> vault write sys/replication/dr/secondary/enable token="zyHibJ......
-- error --

Error writing data to sys/replication/dr/secondary/enable: Error making API request.

URL: PUT https://vaultdr2_server.com:8200/v1/sys/replication/dr/secondary/enable
Code: 500. Errors:

* 1 error occurred:
* error unwrapping secondary token: Post "https://10.10.10.110:8200/v1/sys/wrapping/unwrap": x509: certificate signed by unknown authority

Cause

• Upon closer examination the certificate in use is self-signed at the above address, and the SANs contain the address we are using. 

This error message is received due to unknown Certificate Authority (CA):

• The CA is unrecognized by the nodes in question.

Overview of possible solutions

Solutions:

• Specify the CA for the primary cluster's cert as a parameter in the replication api via ca_file or ca_path parameter.

• Additionally inspect the Subject and SANs in the cluster to make sure the URL exists for TLS handshake to complete.

  Download this certificate onto the filesystem of each instance in the secondary cluster

  e.g.: 

  openssl s_client -connect vaultdr2_server.com:8200 < /dev/null | openssl x509 -noout -textAfter ensuring the above steps, secondary DR setup should now complete without error.

Additional Information

• https://support.hashicorp.com/hc/en-us/articles/4416478033811
  
  

• https://developer.hashicorp.com/vault/api-docs/system/replication/replication-dr#enable-dr-secondary