I have a customer deployment that runs Vault as intermediate CA for OpenStack deployment.
Due to security concerns, the certificate need to be signed with a short TTL, in this case for about a month.
However, when you do upload-signed-csr, it will fail with the following error.
$ juju run-action --wait vault/leader upload-signed-csr \
> pem="$(base64 ~/intermediate-ca.crt)" \
> root-ca="$(base64 ~/rootca.crt)"
unit-vault-0:
UnitId: vault/0
id: "8"
message: 'lib.charm.vault.VaultInvalidRequest: cannot satisfy request, as TTL would
result in notAfter 2021-06-29T13:06:33.958635899Z that is beyond the expiration
of the CA certificate at 2020-07-29T14:04:26Z'
results:
Stderr: |
All snaps up to date.
/var/lib/juju/agents/unit-vault-0/charm/lib/charm/vault_pki.py:203: DeprecationWarning: Call to deprecated function '_post'. This method will be removed in version '0.8.0' Please use the 'post' method on the 'hvac.adapters' class moving forward.
json={'certificate': pem})
Stdout: |
none
none
active
status: failed
timing:
completed: 2020-06-29 14:06:34 +0000 UTC
enqueued: 2020-06-29 14:06:28 +0000 UTC
started: 2020-06-29 14:06:29 +0000 UTC
I have configured the default-ttl to a value that is shorter than a month, however, according to the following vault API output, it looks like it is not configured yet.
$ curl \
-H "X-Vault-Token: ${VAULT_TOKEN}" \
-X GET \
${VAULT_ADDR}/v1/sys/mounts/${CHARM_PKI_MP}/tune | jq .
{
"default_lease_ttl": 31532400,
"max_lease_ttl": 315360000,
"force_no_cache": false,
"request_id": "4164d09e-fc82-bba9-329b-8ce447eb8a67",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"default_lease_ttl": 31532400,
"force_no_cache": false,
"max_lease_ttl": 315360000
},
"wrap_info": null,
"warnings": null,
"auth": null
}
At the moment, in order to fix this situation, I only could do this by running the following command.
$ vault secrets tune -default-lease-ttl=700h charm-pki-local/
Bumped into similar issue on a different scenario.
The Vault leader is changed due to restart of nodes and the default-ttl has value equivalent to CA certificate expiry ttl (Vault acting as intermediate CA)
The unit is in failed state after unseal with the following error:
raise exceptions.
hvac.exceptions
The error is due to global client certificate generation [1]
To avoid the error, need to change the default ttl to a reasonable value.
Changing the default value using juju config vault default-
Workaround: to set the default-ttl using vault commands directly
$ vault secrets tune -default-
Is there a better way to set the default-ttl in this scenario instead of using vault commands?
[1] https:/