vault-ui icon indicating copy to clipboard operation
vault-ui copied to clipboard
verified publisher icon djenriquez

vault-ui login does not work error as unable to verify first certificate

Open ssubramanian123 opened this issue 7 years ago • 3 comments

Hi,

I have used chart provided in this repo to install vaultui. Configured my vault endpoint and deployed chart. Vaultui is up when i try to login with token it says Error: Error: unable to verify the first certificate.

Please find below screen shot and also I dont see any log in the pod.

screen shot 2018-07-25 at 9 15 51 am

pod log

kubectl logs vaultui-vault-ui-7957b5cc56-sqfkx  -n vault -f
yarn run v1.6.0
$ node ./server.js start_app
Vault UI listening on: 8000

Can anyone help me what i am missing?

ssubramanian123 avatar Jul 25 '18 15:07 ssubramanian123

Read docs: https://github.com/djenriquez/vault-ui#advanced-configuration-options

Nowaker avatar Aug 17 '18 18:08 Nowaker

I'm running into this exact same problem. The docs are in no way helpful in this case. The docs are terrible.

Here's my situation: I have a root certificate as a PEM file, meaning it looks something like this:

-----BEGIN CERTIFICATE-----
Eighteen
Lines
Of
Base64
Encoded
Data
...
-----END CERTIFICATE-----

But I honestly have no idea how to properly include that certificate file. The docs you linked to essentially say two things about it:

  1. ...parameters must be configured by clicking on the configuration cog... Using environment variables (via docker), an administrator can pre-configure those parameters.
  2. CUSTOM_CA_CERT Pass a self-signed certificate that the system should trust.

So my first thought is, okay, great, I'll just click on the cog. Except there are no options when you click on the cog to add a certificate. The only options there are "Vault Server URL," "Login Method," and "Auth backend path." Nothing about adding certificates.

So, okay, I guess I'll use the environment variables after all. But how? Do I call it with -e "CUSTOM_CA_CERT=/user/home/mycert.pem"? I'm guessing not, because you can't just add a file to a Docker container like that... it's isolated so doesn't have access to my system. So do I pass the contents of the file as a string? Something like -e "CUSTOM_CA_CERT=EighteenLinesOfBase64EncodedData..."? Long story short, neither of those work. The docs really need to specify what, specifically, we pass in as a value for CUSTOM_CA_CERT and give an example. And they should be updated to say that the certificates cannot be configured via the cog button.

With all that said, what is the proper way to get this working?

soapergem avatar Sep 27 '18 21:09 soapergem

@soapergem I just ran into this issue myself. The CUSTOM_CA_CERT option does nothing, neither does adding my CA to the trust store. It seems the only option right now is to use NODE_TLS_REJECT_UNAUTHORIZED and set it to 0.

Unfortunately, this is quite frustrating especially when you add it to the issue that Vault-UI can't be run in TLS mode easily.

OOPMan avatar Oct 11 '18 10:10 OOPMan