You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Configure the PKI secrets engine certificate issuing and certificate revocation list (CRL) endpoints to use the Vault service in the default namespace.
$ vault write pki/config/urls \
issuing_certificates="http://vault.default:8200/v1/pki/ca" \
crl_distribution_points="http://vault.default:8200/v1/pki/crl"
Success! Data written to: pki/config/urls
but this is wrong, http://vault.default:8200/v1/pki/ca (and the other URL) are kubernetes internal URLs and external clients (e.g. a Browser) which would try to verify certificate validity by fetching the revocation list would fail to do so. One should configure external (ingress) URL for both of the endpoints.
The text was updated successfully, but these errors were encountered:
https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager#configure-pki-secrets-engine
says:
Configure the PKI secrets engine certificate issuing and certificate revocation list (CRL) endpoints to use the Vault service in the default namespace.
but this is wrong,
http://vault.default:8200/v1/pki/ca(and the other URL) are kubernetes internal URLs and external clients (e.g. a Browser) which would try to verify certificate validity by fetching the revocation list would fail to do so. One should configure external (ingress) URL for both of the endpoints.The text was updated successfully, but these errors were encountered: