Vault TLS on Docker - cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

Question

I'm trying to run TLS on Valut using docker. At first generate certificates and run docker container with Vault server mode. After that I run vault init command that returns error:

Error initializing: Put https://127.0.0.1:8200/v1/sys/init: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

I could use -tls-skip-verify but is not a solution.

I generate certs using openssl.cnf file:

[ ca ]
default_ca = testca

[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 365
default_md = sha256

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
subjectAltName = @alt_names

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = localhost
DNS.1 = 127.0.0.1
DNS.2 = 0.0.0.0

These commands are used to generate CA cert.pem and key.pem:

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

openssl x509 -in cacert.pem -out cacert.cer -outform DER

To run docker container I use:

docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener":[{"tcp":{"address":"127.0.0.1:8200", "tls_cert_file":"/vault/ca/cacert.pem", "tls_key_file":"/vault/ca/private/cakey.pem"}}], "backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}' -p8201:8200 --name vault-server -v/tmp/vault-conf/ca-keys:/vault/ca vault server

Docker mounts folder with certificates which are used in Vault conf file.

There are docker logs:

This usually means that the mlock syscall is not available.
Vault uses mlock to prevent memory from being swapped to
disk. This requires root privileges as well as a machine
that supports mlock. Please enable mlock on your system or
disable Vault from using it. To disable Vault from using it,
set the `disable_mlock` configuration option in your configuration
file.
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
                 Storage: file
                 Version: Vault v0.9.6
             Version Sha: 7e1fbde40afee241f81ef08700e7987d86fc7242

==> Vault server started! Log data will stream in below:

Now after exec command vault init inside docker container it returns above error.

Generated cacert.pem file does contains 127.0.0.1 IP address in SAN.

X509v3 extensions:
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Certificate Sign, CRL Sign
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:127.0.0.1, DNS:0.0.0.0

Where I make a mistake?

Answer 1

Looks like you'd just update the DNS section to:

[ alt_names ]
DNS.0 = localhost
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0