quorum-key-manager icon indicating copy to clipboard operation
quorum-key-manager copied to clipboard

Published 20 hours ago verified publisher icon Consensys

OS allowed CAs are not working with Hashicorp Vault TLS

Open ggarri opened this issue 3 years ago • 2 comments

Describe the bug

In cases where QKM is connected to a Hashicorp Vault using TLS + self-signed certificates if fails because invalid authority error even if CA is being added into /etc/ssl/certs

Steps to reproduce

  • Enable Hashicorp Vault TLS using a self-signed certificate
  • Load the CA.cert used to sign the servicer certificate into the container where QKM is running
  • Create a SecretStore using the Hashicorp Vault defined in step 1
  • Send create secret request

Actual result

  • Error response with Failed Dependency (looking at the logs you will find "invalid authority" error)

Expected result

  • It should create the key successfully

ggarri avatar Oct 06 '21 17:10 ggarri

This is a non-issue. There is no reason why certificates added in /etc/ssl/certs should be accepted by default as this is a hidden behavior even if common. The config has a field CAPath that should be used to specify /etc/ssl/certs if that is the desired folder from which to extract the valid CAs.

darioAnongba avatar Nov 10 '21 12:11 darioAnongba

I fully disagree on the fact our Clients are not loading by default OS certs since that is an standard practices over every application, otherwise it will force us a tool to provide enough flexibility over our flags to load certs from different folders to avoid users to be restricted on what is allowed and not allowed in terms of communication

ggarri avatar Nov 16 '21 12:11 ggarri