Login
Contents x
Adding HashiCorp Vault Certificates to Itential Platform
  • 17 Jan 2025
  • Dark
    Light
  • PDF
Contents

Adding HashiCorp Vault Certificates to Itential Platform

  • Updated on 17 Jan 2025
  • Dark
    Light
  • PDF
Article summary

ⓘ Note:

This document only applies to on-premise deployments of Itential Platform (IP).

Itential Platform can encounter difficulties when connecting to HashiCorp Vault servers that use HTTPS. In such cases, the following error message is often logged by IP:

UNABLE_TO_VERIFY_LEAF_SIGNATURE

In general, this occurs when IP does not recognize or cannot access the SSL certificate chain used by the affected Vault servers.

Adding the Vault Certificate Chain to Itential Platform

To fix this issue, perform the following steps on all Platform servers in your environment.

  1. Create a file named vault.cert on your Platform server.

    touch vault.cert

  2. Copy the contents of all SSL certificates used by Vault to the vault.cert file. For example, if your Vault server uses an end-user certificate, an intermediate certificate, and a root certificate, the resulting vault.cert file should look similar to the following:

    -----BEGIN CERTIFICATE-----
<Content of end-user certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<Content of intermediate certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<Content of root certificate>
-----END CERTIFICATE-----

  3. Move the vault.cert file to the /etc/pki/tls/certs directory.

    mv ./vault.cert /etc/pki/tls/certs

  4. Assign ownership of the vault.cert file to the itential user.

    chown itential: /etc/pki/tls/certs/vault.cert

  5. Make sure the itential user has read-only access to the vault.cert file. No access should be granted to any groups or other users (numeric permission 400).

    chmod 400 /etc/pki/tls/certs/vault.cert

  6. Determine the location of the Platform service file automation-platform.service by executing the systemctl status automation-platform command. In the following example, the service file is located at /usr/lib/systemd/system/automation-platform.service.

    [root@localhost itential]# systemctl status automation-platform 
● automation-platform.service - Itential Platform Service
    Loaded: loaded (/usr/lib/systemd/system/automation-platform.service; enabled; vendor preset: disabled)
    Active: active (running) since Wed 2023-08-30 14:45:32 EDT; 1 weeks 4 days ago
Main PID: 812873 (Pronghorn core)
    Tasks: 302 (limit: 36528)
    Memory: 3.5G
    CGroup: /system.slice/automation-platform.service
        ├─812873 Pronghorn core
        ├─812955 Pronghorn AppArtifacts Application
        ├─812983 Pronghorn AutomationCatalog Application
        ├─812991 Pronghorn AutomationStudio Application

  7. Add the following environment variable to the automation-platform.service file. This gives the Platform access to the vault.cert file that now contains your Vault certificate chain.

    Environment="NODE_EXTRA_CA_CERTS=/etc/pki/tls/certs/vault.cert"

  8. Reload the service daemon for the changes to take effect.

    systemctl daemon-reload

  9. Restart the Itential Platform service.

    systemctl restart automation-platform

Further Reading

For more information about integrating HashiCorp Vault with Itential Platform, refer to the HashiCorp Vault Encryption section of the IAP documentation.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout