Hello! In this post I will show you how to enable HTTPS, for API, Web, CLI, etc… Create a secure connection.
The process is very simple, and all you need is a certificate and a key.
So, to do this, we will first create a certificate, in our case, self-signed. I will use a .conf file to generate the certificate, it helps me maintain standardization and I don’t have to type it every time I need it.
certificate.conf (https://github.com/faustobranco/devops-db/blob/master/vault/certificate.conf)
[req]
distinguished_name = vault-devops-db
x509_extensions = v3_req
prompt = no
[vault-devops-db]
C = PT
ST = Porto
L = Porto
O = Devops-DB
CN = vault.devops-db.info
[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1 = *
DNS.2 = *.*
DNS.3 = *.devops-db.info
DNS.4 = devops-db.info
DNS.5 = *.devops-db.internal
DNS.6 = devops-db.internal
DNS.7 = 172.21.5.157
IP.1 = 127.0.0.1
IP.2 = 172.21.5.157
With the settings ready, we will generate the certificate, the key and copy it to 2 different places.
- The Vault certificates folder: /opt/vault/tls/
- The OS certificates folder: /etc/ssl/certs/
Of course, change it according to what you need, DNS, IPs, etc.
openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout vault_key.key -out vault_cert.crt -config certificate.conf -days 9999
cp vault_cert.crt /opt/vault/tls/vault_cert.crt
cp vault_key.key /opt/vault/tls/vault_key.key
chown vault:vault /opt/vault/tls/vault_cert.crt
chown vault:vault /opt/vault/tls/vault_key.key
cp /opt/vault/tls/vault_cert.crt /etc/ssl/certs/vault_cert.crt
Now let’s change the Vault configuration file so that it reads the certificate and starts the https protocol:
vi /etc/vault.d/vault.hcl
# HTTP listener
#listener "tcp" {
# address = "0.0.0.0:8200"
# tls_disable = 1
#}
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0
tls_cert_file = "/opt/vault/tls/vault_cert.crt"
tls_key_file = "/opt/vault/tls/vault_key.key"
}
That’s it, restart the Vault service:
systemctl restart vault.service
systemctl status vault.service
vault.service - "HashiCorp Vault"
Loaded: loaded (/lib/systemd/system/vault.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2025-02-06 08:57:51 UTC; 2s agoNow don’t forget to change the environment variable (including in your ~/.bashrc)
export VAULT_ADDR="https://127.0.0.1:8200"Unseal the Vault (since it has been reset) and do a test login:
vault login -method=ldap username=fbranco
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESINHC914xpz0jiyQ6SkvYXx8cacf4Dkw4NatjR3zJbqHuGh4KHGh2cy5zRkFlWnhqMGFRc2UyQ2QySkwxNkhMeUo
token_accessor pKAVq6Sy5QyVag6vVGQ8nLdi
token_duration 768h
token_renewable true
token_policies ["default" "jenkins" "vault-admin"]
identity_policies []
policies ["default" "jenkins" "vault-admin"]
token_meta_username fbrancoIn the case of our lab, the url is now: https://vault.devops-db.internal:8200/