Login
Contents x
Adding HashiCorp Vault Certificates to IAP
  • 29 Apr 2024
  • Dark
    Light
  • PDF
Contents

Adding HashiCorp Vault Certificates to IAP

  • Updated on 29 Apr 2024
  • Dark
    Light
  • PDF
Article Summary

ⓘ Note:

This document only applies to on-premise deployments of Itential Automation Platform (IAP).

IAP can encounter difficulties when connecting to HashiCorp Vault servers that use HTTPS. In such cases, the following error message is often logged by IAP:

UNABLE_TO_VERIFY_LEAF_SIGNATURE

In general, this occurs when IAP does not recognize or cannot access the SSL certificate chain used by the affected Vault servers.

Adding the Vault Certificate Chain to IAP

To fix this issue, perform the following steps on all IAP servers in your environment.

  1. Create a file named vault.cert on your IAP server.

    touch vault.cert

  2. Copy the contents of all SSL certificates used by Vault to the vault.cert file. For example, if your Vault server uses an end-user certificate, an intermediate certificate, and a root certificate, the resulting vault.cert file should look similar to the following:

    -----BEGIN CERTIFICATE-----
<Content of end-user certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<Content of intermediate certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<Content of root certificate>
-----END CERTIFICATE-----

  3. Move the vault.cert file to the /etc/pki/tls/certs directory.

    mv ./vault.cert /etc/pki/tls/certs

  4. Assign ownership of the vault.cert file to the itential user.

    chown itential: /etc/pki/tls/certs/vault.cert

  5. Make sure the itential user has read-only access to the vault.cert file. No access should be granted to any groups or other users (numeric permission 400).

    chmod 400 /etc/pki/tls/certs/vault.cert

  6. Determine the location of the IAP service file automation-platform.service by executing the systemctl status automation-platform command. In the following example, the service file is located at /usr/lib/systemd/system/automation-platform.service.

    [root@localhost itential]# systemctl status automation-platform 
● automation-platform.service - Itential Automation Platform Service
    Loaded: loaded (/usr/lib/systemd/system/automation-platform.service; enabled; vendor preset: disabled)
    Active: active (running) since Wed 2023-08-30 14:45:32 EDT; 1 weeks 4 days ago
Main PID: 812873 (Pronghorn core)
    Tasks: 302 (limit: 36528)
    Memory: 3.5G
    CGroup: /system.slice/automation-platform.service
        ├─812873 Pronghorn core
        ├─812955 Pronghorn AppArtifacts Application
        ├─812983 Pronghorn AutomationCatalog Application
        ├─812991 Pronghorn AutomationStudio Application

  7. Add the following environment variable to the automation-platform.service file. This gives IAP access to the vault.cert file that now contains your Vault certificate chain.

    Environment="NODE_EXTRA_CA_CERTS=/etc/pki/tls/certs/vault.cert"

  8. Reload the service daemon for the changes to take effect.

    systemctl daemon-reload

  9. Restart the IAP service.

    systemctl restart automation-platform

Further Reading

For more information about integrating HashiCorp Vault with IAP, refer to the HashiCorp Vault Encryption section of the IAP documentation.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2022 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout