Platform On-PremControl accessSecretsHashiCorp Vault

Troubleshoot Hashicorp issues

on-prem only

Troubleshoot

Itential Platform can encounter difficulties when connecting to HashiCorp Vault servers that use HTTPS. In such cases, the following error message is often logged by Itential Platform:

UNABLE_TO_VERIFY_LEAF_SIGNATURE

This occurs when Itential Platform does not recognize or cannot access the SSL certificate chain used by the affected Vault servers.

Add the Vault certificate chain to Platform

To fix this issue, perform the following steps on all Platform servers in your environment.

1

Create the certificate file

Create a file named vault.cert on your Platform server.

$touch vault.cert
2

Add certificate contents

Copy the contents of all SSL certificates used by Vault to the vault.cert file. For example, if your Vault server uses an end-user certificate, an intermediate certificate, and a root certificate, the resulting vault.cert file should look similar to the following:

-----BEGIN CERTIFICATE-----
<Content of end-user certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Content of intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Content of root certificate>
-----END CERTIFICATE-----
3

Move the certificate file

Move the vault.cert file to the /etc/pki/tls/certs directory.

$mv ./vault.cert /etc/pki/tls/certs
4

Set ownership

Assign ownership of the vault.cert file to the itential user.

$chown itential: /etc/pki/tls/certs/vault.cert
5

Set permissions

Make sure the itential user has read-only access to the vault.cert file. No access should be granted to any groups or other users (numeric permission 400).

$chmod 400 /etc/pki/tls/certs/vault.cert
6

Locate the service file

Determine the location of the Platform service file automation-platform.service by executing the systemctl status automation-platform command. In the following example, the service file is located at /usr/lib/systemd/system/automation-platform.service.

$[root@localhost itential]# systemctl status automation-platform 
$● automation-platform.service - Itential Platform Service
$    Loaded: loaded (/usr/lib/systemd/system/automation-platform.service; enabled; vendor preset: disabled)
$    Active: active (running) since Wed 2023-08-30 14:45:32 EDT; 1 weeks 4 days ago
$Main PID: 812873 (Pronghorn core)
$    Tasks: 302 (limit: 36528)
$    Memory: 3.5G
$    CGroup: /system.slice/automation-platform.service
$        ├─812873 Pronghorn core
$        ├─812955 Pronghorn AppArtifacts Application
$        ├─812983 Pronghorn AutomationCatalog Application
$        ├─812991 Pronghorn AutomationStudio Application
7

Add environment variable

Add the following environment variable to the automation-platform.service file. This gives Platform access to the vault.cert file that now contains your Vault certificate chain.

$Environment="NODE_EXTRA_CA_CERTS=/etc/pki/tls/certs/vault.cert"
8

Reload daemon

Reload the service daemon for the changes to take effect.

$systemctl daemon-reload
9

Restart Platform

Restart the Itential Platform service.

$systemctl restart automation-platform

Further Reading

For more information about integrating HashiCorp Vault with Itential Platform, refer to the HashiCorp Vault Encryption section of the documentation.