Introduction
While executing vault status and a CA certificate has been specified, Vault returns:
$ VAULT_CACERT=<path_to_certificate>/ca_certificate.crt vault status
failed to read environment: Error loading CA File: Couldn't parse PEM in:
<path_to_certificate>/ca_certificate.crt
The error could also manifest itself in different area's of the product, for example while using Vault Authentication Methods or Vault Secrets engines.
In those cases the error messages might vary, plugins used by Vault Authentication Methods or Vault Secrets Engines might report different errors.
The Cloud Foundry plugin for example, returns the following message instead:
couldn't append root certificate
Cause
While specifying an Certificate Authority (CA) certificate to be used within Vault , it is important to ensure that this certificate is of the X509 PEM encoded format.
Normally a Certificate Authority (CA) certificate has following format:
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIUNZiIaEub11H+DK/UEkLonyEAOicwDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAxMRdmF1bHQtY2Etcm9vdC1wa2kwHhcNMjQwMzI1MTYxMjA0
WhcNMjkwMzI0MTYxMjM0WjAgMR4wHAYDVQQDExV2YXVsdC1jYS1yb290LXBraS1p
bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0DHI4kDQJgwBTQTsr
l9Y2YZs4iHiDPVGcdvJkkFGJuQWdoA1SAg2mNfJ0SDSIWhSMhbLj1W/EGPQLIq6o
s0B74tuFiQYoHJI2JmdccmM8kCezq6CQYEvSqRrO33CKTMzmC6NZG4OB4xXmy3h+
WUdED6EgsaQVB/9o1o/wZdUv1qpDZTE7LXzPfeemsPunHo9AAEFNxzWE7V4r0tbO
iBZGYZnPERQCvw/wO4LQmpQACZRD0GzYpoc9K/qdp4h185wlKILrq9ceUoPSi8Kf
EPbf20yH+RjgQx+WrmkJjrEEbvJBMLNIU8MBXTUkgzEdbLafSDX3vCl2y5RWTSxi
O6lVAgMBAAGjgfYwgfMwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFK9CDA6Ncgfm7bCjxsBqOTTjaIgWMB8GA1UdIwQYMBaAFOlUAawo
zEAZJZLzHeJQCWdbXogBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0
cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC1j
YS1yb290LXBraS1pbnQwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAu
MTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcNAQELBQADggEBAJOWo8rVJGV+QTDO
CNjmaqEmPLmn5flQhnEWhIcPntT8FMiazrCGLG80qYNUnV/ruVjqetrRt9icJDWC
DTIPel4Kyr4BchRv60s1gZBYYu9YNkE6a8IYLzce/cjmro/IAGxV8ZgHZUwhTxut
w8uG0quI+AHDeH+9h2pUaN4UdohfPUuGSm/4zljTswJNDjTl6I9Qi3xTu8oRTEbP
xxzL7zdam/oLSWF94TlycFf0TyF2hCvAFhDxSMQGC9fGp7ftglbkfwhH/p9mIo8b
46Ha/9xexurHxhq3jV1tvGxGRlz7pBiK1U/JC//NxlirRh1favaB29P5ofQlSm/t
PBD1LXX=
-----END CERTIFICATE-----
The above is the expected format.
However in some cases the Certificate Authority (CA) certificate might have following format:
-----BEGIN TRUSTED CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIUNZiIaEub11H+DK/UEkLonyEAOicwDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAxMRdmF1bHQtY2Etcm9vdC1wa2kwHhcNMjQwMzI1MTYxMjA0
WhcNMjkwMzI0MTYxMjM0WjAgMR4wHAYDVQQDExV2YXVsdC1jYS1yb290LXBraS1p
bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0DHI4kDQJgwBTQTsr
l9Y2YZs4iHiDPVGcdvJkkFGJuQWdoA1SAg2mNfJ0SDSIWhSMhbLj1W/EGPQLIq6o
s0B74tuFiQYoHJI2JmdccmM8kCezq6CQYEvSqRrO33CKTMzmC6NZG4OB4xXmy3h+
WUdED6EgsaQVB/9o1o/wZdUv1qpDZTE7LXzPfeemsPunHo9AAEFNxzWE7V4r0tbO
iBZGYZnPERQCvw/wO4LQmpQACZRD0GzYpoc9K/qdp4h185wlKILrq9ceUoPSi8Kf
EPbf20yH+RjgQx+WrmkJjrEEbvJBMLNIU8MBXTUkgzEdbLafSDX3vCl2y5RWTSxi
O6lVAgMBAAGjgfYwgfMwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFK9CDA6Ncgfm7bCjxsBqOTTjaIgWMB8GA1UdIwQYMBaAFOlUAawo
zEAZJZLzHeJQCWdbXogBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0
cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC1j
YS1yb290LXBraS1pbnQwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAu
MTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcNAQELBQADggEBAJOWo8rVJGV+QTDO
CNjmaqEmPLmn5flQhnEWhIcPntT8FMiazrCGLG80qYNUnV/ruVjqetrRt9icJDWC
DTIPel4Kyr4BchRv60s1gZBYYu9YNkE6a8IYLzce/cjmro/IAGxV8ZgHZUwhTxut
w8uG0quI+AHDeH+9h2pUaN4UdohfPUuGSm/4zljTswJNDjTl6I9Qi3xTu8oRTEbP
xxzL7zdam/oLSWF94TlycFf0TyF2hCvAFhDxSMQGC9fGp7ftglbkfwhH/p9mIo8b
46Ha/9xexurHxhq3jV1tvGxGRlz7pBiK1U/JC//NxlirRh1favaB29P5ofQlSm/t
PBD1LXYwCDAGBgRVHSUB
-----END TRUSTED CERTIFICATE-----
The certificates which contain -----BEGIN TRUSTED CERTIFICATE-----
also contain additional extensions called trusted uses and rejected uses.
For example:
openssl x509 -in ca_certificate.crt -text -noout | grep -a1 -i use
Trusted Uses:
Any Extended Key Usage
No Rejected Uses.
or:
openssl x509 -in ca_certificate.crt -text -noout | grep -i use
0 Trusted Uses
0 No Rejected Uses
Overview of possible solutions (if applicable)
Solutions:
Currently the upstream x509 golang libraries used by Vault, don't support the usage of the trusted uses and rejected uses extension, therefore Vault also doesn't support usage of the trusted uses and rejected uses extensions within certificates.
Openssl can be used to removed the the trusted uses and rejected uses extensions from certificates as follows:
- openssl x509 -in ca_certificate.crt -clrtrust -out ca_no_trust.crt
- openssl x509 -in ca_certificate.crt -clrreject -out ca_no_reject.crt
-
openssl -clrtrustClears all the permitted or trusted uses of the certificate. -
openssl -addtrust argAdds a trusted certificate use. Any object name can be used here but currently only clientAuth, serverAuth, emailProtection, and anyExtendedKeyUsage are defined. As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or enables all purposes when trusted. Other OpenSSL applications may define additional uses. -
openssl -clrrejectClears all the prohibited or rejected uses of the certificate. -
openssl -addreject argAdds a prohibited trust anchor purpose. It accepts the same values as the -addtrust option.
Outcome
After the removal of the trusted uses and rejected uses extensions, Vault is able to use parse and use the Certificate Authority (CA) certificate.