The following error is received upon attempting to setup DR Secondary replication:
vaultdr2:> vault write sys/replication/dr/secondary/enable token="zyHibJ......
-- error --
Error writing data to sys/replication/dr/secondary/enable: Error making API request.
URL: PUT https://vaultdr2_server.com:8200/v1/sys/replication/dr/secondary/enable
Code: 500. Errors:
* 1 error occurred:
* error unwrapping secondary token: Post "https://10.10.10.110:8200/v1/sys/wrapping/unwrap": x509: certificate signed by unknown authority
Upon closer examination the certificate in use is self-signed at the above address, and the SANs contain the address we are using.
This error message is received due to unknown Certficate Authority (CA):
the CA is unrecognized by the nodes in question.
Overview of possible solutions
Specify the CA for the primary cluster's cert as a parameter in the replication api via ca_file parameter.
Additionally inspect the Subject and SANs in the cluster to make sure the URL exists for TLS handshake to complete.
Download this certificate onto the filesystem of each instance in the secondary cluster
openssl s_client -connect vaultdr2_server.com:8200 < /dev/null | openssl x509 -noout -text
- Additionally specify the following parameter:
ca_file=/etc/vault.d/ca.crtwhen enabling secondary replication.
After ensuring the above steps, secondary DR setup should now complete without error.