Issue :
With TLS enabled a frequent issue experienced by customers is creating a certificate for a public facing domain name to access Vault and vault-internal dns for vault nodes to communicate with each other.
The most common error observed are similar to :
-
x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs.
-
core: join attempt failed: error="error during raft bootstrap init call: Put \"https://vault-xx.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": x509: certificate is valid for vault-xxx.xxx.xx.com, xx-xxx-xx.vault-xx.xxx.xx.xxx, xx-xx-xx.vault-ent.xxx, xxx.xxx.xxx, not vault-xx.vault-internal
Resolution :
There are multiple ways to solve this problem
-
- If possible, add the Vault internal DNS as SAN in certificate and use leader_tls_servername in retry_join stanza
- Create different set(s) of public and private certificate and 2 listener stanzas. The first listener stanza will be used to configure public facing communication with TLS certificate generated by the public CA. The second listener stanza will be used to internal communication on a different port. Certificates signed by internal authority should be provided here for trusted communication. Ensure this address is used in api_address field for internal node communication.