Introduction
Problem
While trying to use the UI capabilities for managing Vault version 1.13.0 an error is blocking the actions. The error message: Q.randomUUID is not a function
appears.
Prerequisites
- Vault Versions - ALL 1.13.0 - including: +ent, +ent.hsm, +ent.fips1402, +ent.hsm.fips1402
Cause
- The usage of the crypto interface requires secure context MDN docs and should be available in secure context ONLY.
- If Vault is configured without TLS (plain HTTP), then the UI is trying to use the crypto interface (function
randomUUID
) instead of the uuid package (functionuuidv4()
). - The issue is known by our development teams and we are actively working to fix this in the feature planned releases in order to allow the usage of plain HTTP.
Overview of possible solution
Solution - Setup Vault listener stanza to use TLS
Setup Vault listener stanza to use TLS as per configuration page here.
In order to generate a self-signed certificate you may use OpenSSL configuration to generate a self-signed certificate with the Subject Alternative Name (SAN) extension for your "DNS" or "IP" of the server.
Warning! This is provided as an illustrative example, and is not intended for production usage.
Subject Alternative Name extension is an extension of the X.509 specification described in RFC 5280, section 4.2.1.6 as follows:
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).
To generate a self-signed certificate with the SAN extension using OpenSSL, we need to create a configuration myopenssl.cnf
file first.
The last sections detailing alternative IP & DNS sets can be appended with additional entries as required. In the below example I have added one additional IP and 2 DNS names.
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = YY
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = 120.0.0.1: Self-signed certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 171.33.23.103
DNS.1 = ip-171-33-23-103
DNS.2 = myhost.local.net
Save this config as myopenssl.cnf and pass it to OpenSSL:
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -config myopenssl.cnf
This will create a certificate with a private key. Checking the certificate by executing:
# openssl x509 -in cert.pem -text -noout
Use as example the following stanza for your Vault listener as below:
# HTTPS listener
listener "tcp" {
address = "myhost.local.net:8200"
tls_cert_file = "<path_to_your_certfile>/cert.pem "
tls_key_file = "<path_to_your_certfile>/key.pem"
}
Outcome
Enabling TLS in Vault configuration will allow the management of Vault server via UI.