node-vault
node-vault copied to clipboard
nodevault
Specify trusted root/intermediate CA cert for SSL/TSL communication
Hi All,
Is there any way to specify the which RooT/Trusted intermediate CA certificate to use in communication to Vault API endpoint ?
PS: Looking at the code I used VAULT_SKIP_VERIFY=true to avoid checking just for development/testing purposes but in production I need to verify the Vault endpoint is trusted one.
Regards, Constantin
Are the VAULT_CACERT and VAULT_CAPATH environment variables supported ?
Hi @Constantin07, are you by chance the same Constantine who was facing a similar issue with the other node Vault driver back in March?
https://gitter.im/chiefy/vaulted/archives/2017/03/08
If so, then I am starting to worry that we have the only two Node apps on earth trying to connect with Vault using CA cert verification!
Have you found any solutions or workarounds yet? I'm to point of eschewing "drivers", and just using low-level REST calls to Vault's HTTP API directly.
Hi @steve-perkins, unfortunately I'm another Constantin :-)
For testing purposes I tried to use a self signed cert by placing it in the same directory with Node JS code but I get:
{ RequestError: Error: self signed certificate in certificate chain
at new RequestError (/opt/node_modules/request-promise/lib/errors.js:11:15)
at Request.RP$callback [as _callback] (/opt/node_modules/request-promise/lib/rp.js:60:32)
at self.callback (/opt/node_modules/request/request.js:186:22)
at emitOne (events.js:96:13)
at Request.emit (events.js:188:7)
at Request.onRequestError (/opt/node_modules/request/request.js:878:8)
at emitOne (events.js:96:13)
at ClientRequest.emit (events.js:188:7)
at TLSSocket.socketErrorListener (_http_client.js:310:9)
at emitOne (events.js:96:13)
at TLSSocket.emit (events.js:188:7)
at emitErrorNT (net.js:1277:8)
at _combinedTickCallback (internal/process/next_tick.js:80:11)
at process._tickCallback (internal/process/next_tick.js:104:9)
name: 'RequestError',
message: 'Error: self signed certificate in certificate chain',
cause:
{ Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' },
error:
{ Error: self signed certificate in certificate chain
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'SELF_SIGNED_CERT_IN_CHAIN' },
options:
{ json: true,
resolveWithFullResponse: true,
simple: false,
strictSSL: true,
followAllRedirects: true,
path: '/*******/*******/*******',
method: 'GET',
headers: { 'X-Vault-Token': '*************' },
uri: 'https://****.*****.***:8200/v1/******/****/*********',
callback: undefined,
transform: undefined },
response: undefined }
No workaround at the moment yet. I don't have strong Node JS experience but looking at source code it doesn't look to long.
I got this to work by passing the request options.
var options = {
apiVersion: 'v1',
endpoint: 'https://127.0.0.1',
token: '0123456789',
requestOptions: {
ca: fs.readFileSync('/etc/ssl/certs/cabundlefile.crt'),
}
};
var vault = require("node-vault")(options);
@alexraddas do you know what the accepted encoding formats for that option are?
@alexraddas do you know what the accepted encoding formats for that option are?
Since node-vault is based on the request-promise module, it would be dependent on which formats are supported by request-promise. For my specific use case its x509 PEM. You can always convert your CA bundle to another format using openssl. https://www.sslshopper.com/article-most-common-openssl-commands.html.
Request-promise will be changed soon in favor of another (see #150) I will have this in mind for when we will select the correct solution.
Closing the issue for now
