I've been trying for about a week to setup a HashiCorp Vault environment, but have gotten stuck at setting up the last part: HAProxy, as I am unable to forward my Client Certificate to my backend.
My current setup on the HAProxy is this:
frontend vaultfrontend
mode http
bind *:8200 ssl crt /home/administrator/tls.crt verify none
redirect scheme https code 301 if !{ ssl_fc }
default_backend vaultbackend
backend vaultbackend
mode http
timeout check 5s
option httpchk
http-check connect ssl
http-check send meth GET uri /v1/sys/health
http-check expect status 200
server a.vault a.vault.test.local:8200 ssl verify none check
server b.vault b.vault.test.local:8200 ssl verify none check
server c.vault c.vault.test.local:8200 ssl verify none check
My backend vault servers are running SSL with Windows CA signed certificates, and works just fine through their respective URLS.
The HAProxy has a signed certificate allowing people to connect to it via this URL: https://vault.test.local:8200, which works as expected.
The issue arises when I try to access the Vaults via HashiCorp Vault's Cert Auth authentication method.
Whenever I try to authenticate via https://vault.test.local:8200 which is the HAProxy, I get an error message saying there's a lack of Client Certificate in the request:
({"errors":["client certificate must be supplied"]})'
It however works perfectly fine if I directly target my Vault servers instead.
I've tried to edit the config to include this: http-request set-header X-Client-Cert %{+Q}[ssl_c_der,base64] with different variations, but it changes nothing.
It really seems to me like HAProxy for whatever reason will not take my X-Client-Certificate being sent from my VaultSharp application (C#) and forward it.
Does anyone have a setup like this that works, or at least have any idea what the issue might be?
