Introduction
When opening Vault's UI over HTTPS, you may have noticed a dialog box that appears, prompting you to "Select a certificate to authenticate yourself". This prompt appears as part of Vault's default TCP listener behavior.
If this behavior is undesired or not applicable for your particular use case, keep reading to learn how to prevent it.
Procedure
Fixing this issue is as easy as making a tweak to your TCP listener's config stanza. For the TCP listener, Vault includes a parameter called tls_disable_client_certs which allows you to toggle this functionality. By default, the value of this parameter is true and Vault will request client certificates when available.
To disable this behavior, simply update the TCP listener stanza in your Vault configuration file to include the following line.
tls_disable_client_certs = "true"
Below is an example of how this would look in a Vault configuration file.
...
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/vault-cert.crt"
tls_key_file = "/opt/vault/tls/vault-key.key"
tls_client_ca_file = "/opt/vault/tls/vault-ca.crt"
tls_disable_client_certs = "true"
}
...
After you make the change to the configuration file, don't forget to restart the Vault service to ensure that the change takes effect.