Troubleshooting Hashicorp Vault SSH Certificate Login
If can not login via SSH, normally can use -vvv as SSH option in SSH client command to verify, but it could be very long to read.
Another way is use
systemctl status sshd command at server side to check the error.
For example, the output of
systemctl status sshd got following lines,
Dec 12 00:40:37 example-host systemd: Started OpenBSD Secure Shell server. Dec 12 00:40:54 example-host sshd: error: Certificate invalid: expired Dec 12 00:40:54 example-host sshd: Connection closed by authenticating user ubuntu 184.108.40.206 port 53369 [preauth] Dec 12 00:41:12 example-host sshd: error: Certificate invalid: name is not a listed principal Dec 12 00:41:12 example-host sshd: Connection closed by authenticating user ubuntu 220.127.116.11 port 53372 [preauth]
The first error shows vault signed certificate at client side had expired, need to rerun
vault command to regenerate signed certificate.
The second error shows the user name was used in client is not listed in vault signed certificate, so need to use correct user name or configure a new role in the vault.