HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

Troubleshoot PKI Secrets Engine and ACME

Solve common problems related to ACME client integration with Vault PKI Secrets Engine's ACME server.

Error: ACME feature requires local cluster 'path' field configuration to be set

If ACME works on some nodes of a Vault Enterprise cluster but not on others, it likely means that the cluster address has not been set.

Symptoms

When a Vault client reads the ACME config (/config/acme) on a Performance Secondary nodes or when an ACME client attempts to connect to a directory on this node, it will error with:

ACME feature requires local cluster 'path' field configuration to be set

Cause

In most cases, cluster path errors mean that the required cluster address is not set in your cluster configuration parameter.

Resolution

For each Performance Replication cluster, read the value of /config/cluster and ensure the path field is set. When it is missing, update the URL to point to this mount's path on a TLS-enabled address for this PR cluster; this domain may be a load balanced or a DNS round robin address. For example:

$ vault write pki/config/cluster path=https://cluster-b.vault.example.com/v1/pki

Once this is done, re-read the ACME configuration and make sure no warnings appear:

$ vault read pki/config/acme

Error: Unable to register an account with the ACME server

Symptoms

When registering a new account without an External Account Binding (EAB), the Vault Server rejects the request with a response like:

Unable to register an account with ACME server

with further information provided in the debug logs (in the case of certbot):

Server requires external account binding.

or, if the client incorrectly contacted the server, an error like:

The request must include a value for the 'externalAccountBinding' field

In either case, a new account needs to be created with an EAB token created by Vault.

Cause

If a server has been updated to require eab_policy=always-required in the ACME configuration, new account registration (and reuse of existing accounts will fail).

Resolution

Using a Vault token, fetch a new external account binding for the desired directory:

$ vault write -f pki/roles/my-role-name/acme/new-eab
...
directory roles/my-role-name/acme/directory
id        bc8088d9-3816-5177-ae8e-d8393265f7dd
key       MHcCAQE... additional data elided ...
...

Then pass this new EAB token into the ACME client. For example, with certbot:

$ certbot [... additional parameters ...] \
    --server https://cluster-b.vault.example.com/v1/pki/roles/my-role-name/acme/directory \
    --eab-kid bc8088d9-3816-5177-ae8e-d8393265f7dd \
    --eab-hmac-key MHcCAQE... additional data elided ...

Ensure that the ACME directory passed to the ACME client matches that fetched from the Vault.

Error: Failed to verify eab

Symptoms

When initializing a new account against this Vault server, the ACME client might error with a message like:

The client lacks sufficient authorization :: failed to verify eab

This is caused by requesting an EAB from a directory not matching the one the client used.

Cause

If an EAB account token is incorrectly used with the wrong directory, the ACME server will reject the request with an error about insufficient permissions.

Resolution

Ensure the requested EAB token matches the directory. For a given directory at /some/path/acme/directory, fetch EAB tokens from /some/path/acme/new-eab. The remaining resolution steps are the same as for debugging account registration failures.

Error: ACME validation failed for {challenge_id}

Symptoms

When viewing the Vault server logs or attempting to fetch a certificate via an ACME client, an error like:

ACME validation failed for a465a798-4400-6c17-6735-e1b38c23de38-tls-alpn-01: ...

indicates that the server was unable to validate this challenge accepted by the client.

Cause

Vault can not verify the server's identity through the client's requested challenge type (dns-01, http-01, or tls-alpn-01). Vault will not issue the certificate requested by the client.

Resolution

Ensure that DNS is configured correctly from the Vault server's perspective, including setting any custom DNS resolver.

Ensure that any firewalls are set up to allow Vault to talk to the relevant systems (the DNS server in the case of dns-01, port 80 on the target machine for http-01, or port 443 on the target machine for tls-alpn-01 challenges).

Error: The client lacks sufficient authorization: account in status: revoked

Symptoms

When attempting to renew a certificate, the ACME client reports an error:

The client lacks sufficient authorization: account in status: revoked

Cause

If you run a manual tidy or have auto-tidy enabled with `tidy_acme=true, Vault will periodically remove stale ACME accounts.

Connections from clients using removed accounts will be rejected.

Resolution

Refer to the ACME client's documentation for removing cached local configuration and setup a new account, specifying any EABs as required.

Get help

Please provide the following information when contacting Hashicorp Support or filing a GitHub issue to help with our investigation and reproducibility:

  • ACME client name and version
  • ACME client logs and/or output
  • Vault server DEBUG level logs

Tutorial

Refer to the Build Your Own Certificate Authority (CA) guide for a step-by-step tutorial.

Have a look at the PKI Secrets Engine with Managed Keys for more about how to use externally managed keys with PKI.

API

The PKI secrets engine has a full HTTP API. Please see the PKI secrets engine API for more details.