Example of Vault KV clientca option?

[dradtke]

I'm setting up a Fabio load balancer to read certificates stored in Vault's KV engine, and when I run it I keep seeing errors like this:

http: TLS handshake error from 127.0.0.1:60354: remote error: tls: bad certificate

I believe this error is occurring because I have Vault configured to require TLS communication with its own CA. I think the clientca option is supposed to help with this, but the very brief description of this option just says that it's a path to the certificates for client authentication and doesn't provide any examples. Is this supposed to be a path to a Vault secret (secret/fabio/client-certs/...), and if so, what should that secret look like? Is this supposed to be a path to a local file or files, and if so, what would that look like?

[dradtke]

So I discovered the fix for the issue that I was running into. It turns out that the client cert wasn't necessary, but being able to configure the Vault client initialized by Fabio is if you use SSL and a custom CA root.

I'm running Fabio on Nomad, so the fix for me was to ensure that the CA certificate exists at /etc/ssl/vault/ca.pem on each server and then tell Fabio about it with an environment variable:

env {
    VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
}

The clientca option could still use with some additional examples, but the documentation for Fabio should also call out this caveat for integrating with a Vault server using SSL.

I'm going to close this ticket and make an update to the wiki page.

[aaronhurt]

Thank you!