Troubleshooting Hashicorp Vault SSH Certificate Login

Posted on by Bian Xi

Troubleshooting Hashicorp Vault SSH Certificate Login

If can not login via SSH, normally can use -vvv as SSH option in SSH client command to verify, but it could be very long to read.

Another way is use systemctl status sshd command at server side to check the error.

For example, the output of systemctl status sshd got following lines,

Dec 12 00:40:37 example-host systemd[1]: Started OpenBSD Secure Shell server.
Dec 12 00:40:54 example-host sshd[22712]: error: Certificate invalid: expired
Dec 12 00:40:54 example-host sshd[22712]: Connection closed by authenticating user ubuntu 101.78.78.154 port 53369 [preauth]
Dec 12 00:41:12 example-host sshd[22716]: error: Certificate invalid: name is not a listed principal
Dec 12 00:41:12 example-host sshd[22716]: Connection closed by authenticating user ubuntu 101.78.78.154 port 53372 [preauth]

The first error shows vault signed certificate at client side had expired, need to rerun vault command to regenerate signed certificate.

The second error shows the user name was used in client is not listed in vault signed certificate, so need to use correct user name or configure a new role in the vault.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


The reCAPTCHA verification period has expired. Please reload the page.