intermediate ca: upload-signed-csr will fail if the TTL is shorter than the default value of default-ttl(8759h)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vault-charm |
Fix Released
|
Undecided
|
Hemanth Nakkina |
Bug Description
I have a customer deployment that runs Vault as intermediate CA for OpenStack deployment.
Due to security concerns, the certificate need to be signed with a short TTL, in this case for about a month.
However, when you do upload-signed-csr, it will fail with the following error.
$ juju run-action --wait vault/leader upload-signed-csr \
> pem="$(base64 ~/intermediate-
> root-ca="$(base64 ~/rootca.crt)"
unit-vault-0:
UnitId: vault/0
id: "8"
message: 'lib.charm.
result in notAfter 2021-06-
of the CA certificate at 2020-07-
results:
Stderr: |
All snaps up to date.
/
Stdout: |
none
none
active
status: failed
timing:
completed: 2020-06-29 14:06:34 +0000 UTC
enqueued: 2020-06-29 14:06:28 +0000 UTC
started: 2020-06-29 14:06:29 +0000 UTC
I have configured the default-ttl to a value that is shorter than a month, however, according to the following vault API output, it looks like it is not configured yet.
$ curl \
-H "X-Vault-Token: ${VAULT_TOKEN}" \
-X GET \
${VAULT_
{
"default_
"max_lease_ttl": 315360000,
"force_no_cache": false,
"request_id": "4164d09e-
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"default_
"force_
"max_
},
"wrap_info": null,
"warnings": null,
"auth": null
}
At the moment, in order to fix this situation, I only could do this by running the following command.
$ vault secrets tune -default-
tags: | added: sts |
Changed in vault-charm: | |
milestone: | 20.10 → 21.01 |
Changed in vault-charm: | |
status: | In Progress → Fix Committed |
Changed in vault-charm: | |
status: | Fix Committed → Fix Released |
Bumped into similar issue on a different scenario.
The Vault leader is changed due to restart of nodes and the default-ttl has value equivalent to CA certificate expiry ttl (Vault acting as intermediate CA)
The unit is in failed state after unseal with the following error:
raise exceptions. InvalidRequest( message, errors=errors) .InvalidRequest : cannot satisfy request, as TTL would result in notAfter 2021-09- 07T09:13: 45.964935744Z that is beyond the expiration of the CA certificate at 2021-03- 06T10:09: 46Z
hvac.exceptions
The error is due to global client certificate generation [1] ttl=<reasonable value> has no effect on the unit since the unit is in failed state.
To avoid the error, need to change the default ttl to a reasonable value.
Changing the default value using juju config vault default-
Workaround: to set the default-ttl using vault commands directly lease-ttl= <reasonable value> charm-pki-local/
$ vault secrets tune -default-
Is there a better way to set the default-ttl in this scenario instead of using vault commands?
[1] https:/ /opendev. org/openstack/ charm-vault/ src/branch/ master/ src/reactive/ vault_handlers. py#L801- L831