Introduction

When opening Vault's UI over HTTPS, you may have noticed a dialog box that appears, prompting you to "Select a certificate to authenticate yourself".  This prompt appears as part of Vault's default TCP listener behavior.

If this behavior is undesired or not applicable for your particular use case, keep reading to learn how to prevent it.

Procedure

Fixing this issue is as easy as making a tweak to your TCP listener's config stanza.  For the TCP listener, Vault includes a parameter called tls_disable_client_certs which allows you to toggle this functionality.  By default, the value of this parameter is true and Vault will request client certificates when available.  

To disable this behavior, simply update the TCP listener stanza in your Vault configuration file to include the following line.

tls_disable_client_certs = "true"

Below is an example of how this would look in a Vault configuration file.

...
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/vault-cert.crt"
  tls_key_file = "/opt/vault/tls/vault-key.key"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.crt"
  tls_disable_client_certs = "true"
}
...

After you make the change to the configuration file, don't forget to restart the Vault service to ensure that the change takes effect.

NOTE: The tls_disable_client_certs and tls_require_and verify_client_cert fields in the listener stanza of the Vault server configuration are mutually exclusive fields. Please ensure they are not both set to true. TLS client verification remains optional with default settings and is not enforced.