I’m trying to connect to a vault instance on private network - the vault server IP is 192.168.0.104 and vault is accessible through https://192.168.0.104:8200 with a self-signed SAN certificate. I’ve installed the self-signed certificate on the KumoMTA server as well, and I’ve verified that it’s working (https://superuser.com/a/719047) - also tested sending requests to the vault via curl and it started working after I installed the certificate. But Kumo refuses to connect to the vault, saying
{"success_count":0,"fail_count":1,"failed_recipients":["recipient@example.com"],"errors":["recipient@example.com: callback error\nstack traceback:\n\t[C]: in local 'poll'\n\t[string \"?\"]:5: in main chunk\n\t(...tail calls...)\ncaused by: kv2::read vault_mount=secret, vault_path=tenants/example.com Vault { vault_address: Some(\"https://192.168.0.104:8200\"), vault_token: Some(\"hvs.zWDJByhDWMi5lUODk11H8DWO\"), vault_mount: \"secret\", vault_path: \"tenants/example.com\" }: An error occurred with the request: Error sending HTTP request: error sending request for url (https://192.168.0.104:8200/v1/secret/data/tenants/example.com?): error trying to connect: invalid peer certificate: UnknownIssuer: error trying to connect: invalid peer certificate: UnknownIssuer: invalid peer certificate: UnknownIssuer"]}
It seems like Kumo / Rust is ignoring the system certificates and using something else? Is there an environment variable I can use to change this behavior?
I don’t know anything about rust and how it works, so I might be completely off-track here, but it seems like Kumo is using vaultrs, which in turn is using rustls by default, which uses webpki-roots as the source of its trusted certificates (instead of the system certificates). vaultrs has a feature called native-tls “which builds on your platform-specific TLS implementation” - should I rebuild kumo and use native-tls?
On the other hand, vaultrs says “Behind the scenes it [vaultrs] uses an asynchronous client from Reqwest for communicating to Vault.”, and reqwest documentation says it “Uses system-native TLS” which makes things more confusing.
So, it seems like I need to build kumo with native-tls myself, right? might make sense to also change the default for Kumo from the next version, I’d imagine that using vault with a self-signed certificate over a private network is a popular usecase.
I’m not enthusiastic about requiring openssl throughout all of the rust components that we use; ideally we’re 100% rust and don’t need to touch openssl at all, and that would be a move in the opposite direction