fix: Add VAULT_CACERT to vault CLI commands in ensure_vault_unsealed

- vault status and unseal commands now use CA cert for TLS verification - Fixes x509 certificate signed by unknown authority error
2026-01-09 12:29:45 -03:00 · 2026-01-09 12:29:45 -03:00 · 115b2770cb
commit 115b2770cb
parent 00acf1c76e
2 changed files with 13 additions and 12 deletions
--- a/config/directory_config.json
+++ b/config/directory_config.json
@ -1,7 +1,7 @@
 {
  "base_url": "http://localhost:8300",
  "default_org": {
-    "id": "354422182425657358",
+    "id": "354797876871692302",
    "name": "default",
    "domain": "default.localhost"
  },
@ -13,8 +13,8 @@
    "first_name": "Admin",
    "last_name": "User"
  },
-  "admin_token": "DNSctgJla8Kl3rWXa1Pk6vqbeiRGixGLfDhQ80m0fNI5H-5Lh4NJBs68bMwFFleh14Xtsto",
-  "project_id": "354422182828310542",
-  "client_id": "354423066903773198",
-  "client_secret": "hsUDIhIA0aaDD52mpzci12DR1ot8g7x1T1DoTJmVzIQ3Y273eDEWYFXiN6pcTVJf"
-}
+  "admin_token": "oU_rp4E81exidBP-jyaGcoKI1Ckoz-_U2O4BCMPmasKHktVw0ja2hP506-Bf-MD1JsqWl2A",
+  "project_id": "",
+  "client_id": "354797877458960398",
+  "client_secret": "k4MLtkaRFuKkJwfubZCN5g7UZT8GJttzYb1Zjb48Xo3OesQPeBsVC3xjhsn8uvrL"
+}
--- a/src/core/bootstrap/mod.rs
+++ b/src/core/bootstrap/mod.rs
@ -633,6 +633,7 @@ impl BootstrapManager {
    async fn ensure_vault_unsealed(&self) -> Result<()> {
        let vault_init_path = self.stack_dir("conf/vault/init.json");
        let vault_addr = "https://localhost:8200";
+        let vault_cacert = "./botserver-stack/conf/system/certificates/ca/ca.crt";

        if !vault_init_path.exists() {
            return Err(anyhow::anyhow!(
@ -673,8 +674,8 @@ impl BootstrapManager {
            }

            let status_cmd = format!(
-                "VAULT_ADDR={} {} status -format=json 2>&1",
-                vault_addr, vault_bin
+                "VAULT_ADDR={} VAULT_CACERT={} {} status -format=json 2>&1",
+                vault_addr, vault_cacert, vault_bin
            );
            let status_output = safe_sh_command(&status_cmd)
                .ok_or_else(|| anyhow::anyhow!("Failed to execute vault status command"))?;
@ -714,8 +715,8 @@ impl BootstrapManager {
            if sealed {
                info!("Unsealing Vault...");
                let unseal_cmd = format!(
-                    "VAULT_ADDR={} {} operator unseal {} >/dev/null 2>&1",
-                    vault_addr, vault_bin, unseal_key
+                    "VAULT_ADDR={} VAULT_CACERT={} {} operator unseal {} >/dev/null 2>&1",
+                    vault_addr, vault_cacert, vault_bin, unseal_key
                );
                let unseal_output = safe_sh_command(&unseal_cmd)
                    .ok_or_else(|| anyhow::anyhow!("Failed to execute vault unseal command"))?;
@ -727,8 +728,8 @@ impl BootstrapManager {

                tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
                let verify_cmd = format!(
-                    "VAULT_ADDR={} {} status -format=json 2>/dev/null",
-                    vault_addr, vault_bin
+                    "VAULT_ADDR={} VAULT_CACERT={} {} status -format=json 2>/dev/null",
+                    vault_addr, vault_cacert, vault_bin
                );
                let verify_output = safe_sh_command(&verify_cmd)
                    .ok_or_else(|| anyhow::anyhow!("Failed to verify vault status"))?;