Skip to content

Wrong URLs for CRL and CA Cert on PKI Engine #391

New issue
New issue
Open
Open
Wrong URLs for CRL and CA Cert on PKI Engine#391
@Torkolis

Description

@Torkolis
Torkolis
opened on Jun 2, 2022

https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager#configure-pki-secrets-engine
says:

Configure the PKI secrets engine certificate issuing and certificate revocation list (CRL) endpoints to use the Vault service in the default namespace.

$ vault write pki/config/urls \
    issuing_certificates="http://vault.default:8200/v1/pki/ca" \
    crl_distribution_points="http://vault.default:8200/v1/pki/crl"
Success! Data written to: pki/config/urls

but this is wrong, http://vault.default:8200/v1/pki/ca (and the other URL) are kubernetes internal URLs and external clients (e.g. a Browser) which would try to verify certificate validity by fetching the revocation list would fail to do so. One should configure external (ingress) URL for both of the endpoints.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions