Vault 1.13.0 UI error "Q.randomUUID is not a function" when run without TLS

Avatar
Florin Țiucra-Popa
  • Updated

Introduction

Problem

While trying to use the UI capabilities for managing Vault version 1.13.0 an error is blocking the actions. The error message: Q.randomUUID is not a function appears.

 

Prerequisites

  • Vault Versions - ALL 1.13.0 - including: +ent, +ent.hsm, +ent.fips1402, +ent.hsm.fips1402

Cause

  • The usage of the crypto interface requires secure context MDN docs and should be available in secure context ONLY.
  • If Vault is configured without TLS (plain HTTP), then the UI is trying to use the crypto interface (function randomUUID) instead of the uuid package (function uuidv4()).
  • The issue is known by our development teams and we are actively working to fix this in the feature planned releases in order to allow the usage of plain HTTP.

Overview of possible solution

Solution - Setup Vault listener stanza to use TLS

Setup Vault listener stanza to use TLS as per configuration page here.

In order to generate a self-signed certificate you may use OpenSSL configuration to generate a self-signed certificate with the Subject Alternative Name (SAN) extension for your "DNS" or "IP" of the server.

Warning! This is provided as an illustrative example, and is not intended for production usage.

Subject Alternative Name extension is an extension of the X.509 specification described in RFC 5280, section 4.2.1.6 as follows:

The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).

To generate a self-signed certificate with the SAN extension using OpenSSL, we need to create a configuration myopenssl.cnf file first.
The last sections detailing alternative IP & DNS sets can be appended with additional entries as required. In the below example I have added one additional IP and 2 DNS names.

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = YY
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = 120.0.0.1: Self-signed certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 171.33.23.103
DNS.1 = ip-171-33-23-103
DNS.2 = myhost.local.net

Save this config as myopenssl.cnf and pass it to OpenSSL:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem -config myopenssl.cnf

This will create a certificate with a private key. Checking the certificate by executing:

# openssl x509 -in cert.pem -text -noout

Use as example the following stanza for your Vault listener as below:

# HTTPS listener
listener "tcp" {
  address = "myhost.local.net:8200"
  tls_cert_file = "<path_to_your_certfile>/cert.pem "
  tls_key_file = "<path_to_your_certfile>/key.pem"
}

Outcome

Enabling TLS in Vault configuration will allow the management of Vault server via UI.

Additional Information

Articles in this section

See more

Related articles