Skip to content
This repository has been archived by the owner on Sep 7, 2023. It is now read-only.

Failed to load cert/key pair: no such file or directory #135

Open
AnthonyLELUYER opened this issue Sep 27, 2019 · 0 comments
Open

Failed to load cert/key pair: no such file or directory #135

AnthonyLELUYER opened this issue Sep 27, 2019 · 0 comments

Comments

@AnthonyLELUYER
Copy link

I'm currently working on a Vault Docker with Consul storage. I currently have an issue with certificates on Consul Docker. I generate CA, server certificate and API certificate in the Dockerfile directly:

# Create CA
RUN cd / && \
    consul tls ca create && \
    mv consul-agent-ca.pem /consul/certificates/consul-agent-ca.pem

# Create server certs for Consul
RUN cd / && \
    consul tls cert create -server -ca="/consul/certificates/consul-agent-ca.pem" && \
    mv dc1-server-consul-0.pem /consul/certificates/ && \
    mv dc1-server-consul-0-key.pem /consul/certificates/ && \
    chown consul:consul /consul/certificates/dc1-server-consul-0.pem && \
    chown consul:consul /consul/certificates/dc1-server-consul-0-key.pem

# Create API certs for Vault
RUN cd / && \
    consul tls cert create -cli -ca="/consul/certificates/consul-agent-ca.pem" && \
    mv dc1-cli-consul-0.pem /consul/certificates/vault/ && \
    mv dc1-cli-consul-0-key.pem /consul/certificates/vault/

It's working fine for the CA, it's correctly recognized when used to generate other certificates. Other certificates are generated too:

Step 10/17 : RUN cd / &&     consul tls cert create -server -ca="/consul/certificates/consul-agent-ca.pem" &&     mv dc1-server-consul-0.pem /consul/certificates/ &&     mv dc1-server-consul-0-key.pem /consul/certificates/ &&     chown consul:consul /consul/certificates/dc1-server-consul-0.pem &&     chown consul:consul /consul/certificates/dc1-server-consul-0-key.pem
 ---> Running in 17730c4aa3d8
==> WARNING: Server Certificates grants authority to become a
    server and access all state in the cluster including root keys
    and all ACL tokens. Do not distribute them to production hosts
    that are not server nodes. Store them as securely as CA keys.
==> Using /consul/certificates/consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem
Removing intermediate container 17730c4aa3d8

However, when I check the logs of the Consul Docker:

Attaching to dockercompose_consul_1
consul_1  | BootstrapExpect is set to 1; this is the same as Bootstrap mode.
consul_1  | bootstrap = true: do not enable unless necessary
consul_1  | ==> Starting Consul agent...
consul_1  |            Version: 'v1.6.1'
consul_1  |            Node ID: '6b33d77b-9cc7-523f-05a6-8f6567cc2460'
consul_1  |          Node name: 'consul_s1'
consul_1  |         Datacenter: 'dc1' (Segment: '<all>')
consul_1  |             Server: true (Bootstrap: true)
consul_1  |        Client Addr: [0.0.0.0] (HTTP: -1, HTTPS: 8501, gRPC: -1, DNS: 8600)
consul_1  |       Cluster Addr: 172.23.0.2 (LAN: 8301, WAN: 8302)
consul_1  |            Encrypt: Gossip: false, TLS-Outgoing: true, TLS-Incoming: true, Auto-Encrypt-TLS: true
consul_1  |
consul_1  | ==> Log data will now stream in as it occurs:
consul_1  |
consul_1  |     2019/09/27 11:45:03 [WARN] agent: Node name "consul_s1" will not be discoverable via DNS due to invalid characters. Valid characters include all alpha-numerics and dashes.
consul_1  |     2019/09/27 11:45:03 [DEBUG] tlsutil: Update with version 0
consul_1  | ==> Error starting agent: Failed to load cert/key pair: open /consul/certificates/dc1-server-consul-0.pem: no such file or directory
consul_1  |     2019/09/27 11:45:03 [INFO] agent: Exit code: 1

I mount the folder /consul/certificates in the docker-compose:

version: '3.6'

services:

  vault:
    build:
      context: ./vault
      dockerfile: Dockerfile
    ports:
      - 8200:8200
    volumes:
      - ./vault/config:/vault/config
      - ./vault/policies:/vault/policies
      - ./vault/data:/vault/data
      - ./vault/logs:/vault/logs
      - ./consul/certificates/vault:/vault/certificates
    environment:
      - VAULT_ADDR=http://127.0.0.1:8200
    command: server -config=/vault/config/vault.hcl
    cap_add:
      - IPC_LOCK
    depends_on:
      - consul

  consul:
    build:
      context: ./consul
      dockerfile: Dockerfile
    ports:
      - 8500:8500
    command: agent -server -config-file=/consul/config/config.json
    volumes:
      - ./consul/config/config.json:/consul/config/config.json
      - ./consul/data:/consul/data
      - ./consul/certificates:/consul/certificates

However the folder is empty on my machine. I don't understand how the creation of the certificates is working, using correctly the CA in /consul/certificates/, but then when I check the folder, it's empty. Did I miss something ?
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AnthonyLELUYER