intermediate ca: upload-signed-csr will fail if the TTL is shorter than the default value of default-ttl(8759h)

Bug #1885576 reported by Yoshi Kadokawa
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vault-charm
Fix Released
Undecided
Hemanth Nakkina

Bug Description

I have a customer deployment that runs Vault as intermediate CA for OpenStack deployment.
Due to security concerns, the certificate need to be signed with a short TTL, in this case for about a month.
However, when you do upload-signed-csr, it will fail with the following error.

$ juju run-action --wait vault/leader upload-signed-csr \
> pem="$(base64 ~/intermediate-ca.crt)" \
> root-ca="$(base64 ~/rootca.crt)"
unit-vault-0:
  UnitId: vault/0
  id: "8"
  message: 'lib.charm.vault.VaultInvalidRequest: cannot satisfy request, as TTL would
    result in notAfter 2021-06-29T13:06:33.958635899Z that is beyond the expiration
    of the CA certificate at 2020-07-29T14:04:26Z'
  results:
    Stderr: |
      All snaps up to date.
      /var/lib/juju/agents/unit-vault-0/charm/lib/charm/vault_pki.py:203: DeprecationWarning: Call to deprecated function '_post'. This method will be removed in version '0.8.0' Please use the 'post' method on the 'hvac.adapters' class moving forward.
        json={'certificate': pem})
    Stdout: |
      none
      none
      active
  status: failed
  timing:
    completed: 2020-06-29 14:06:34 +0000 UTC
    enqueued: 2020-06-29 14:06:28 +0000 UTC
    started: 2020-06-29 14:06:29 +0000 UTC

I have configured the default-ttl to a value that is shorter than a month, however, according to the following vault API output, it looks like it is not configured yet.

$ curl \
    -H "X-Vault-Token: ${VAULT_TOKEN}" \
    -X GET \
    ${VAULT_ADDR}/v1/sys/mounts/${CHARM_PKI_MP}/tune | jq .
{
  "default_lease_ttl": 31532400,
  "max_lease_ttl": 315360000,
  "force_no_cache": false,
  "request_id": "4164d09e-fc82-bba9-329b-8ce447eb8a67",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "default_lease_ttl": 31532400,
    "force_no_cache": false,
    "max_lease_ttl": 315360000
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

At the moment, in order to fix this situation, I only could do this by running the following command.

$ vault secrets tune -default-lease-ttl=700h charm-pki-local/

Tags: sts
tags: added: sts
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Bumped into similar issue on a different scenario.
The Vault leader is changed due to restart of nodes and the default-ttl has value equivalent to CA certificate expiry ttl (Vault acting as intermediate CA)

The unit is in failed state after unseal with the following error:

raise exceptions.InvalidRequest(message, errors=errors)
hvac.exceptions.InvalidRequest: cannot satisfy request, as TTL would result in notAfter 2021-09-07T09:13:45.964935744Z that is beyond the expiration of the CA certificate at 2021-03-06T10:09:46Z

The error is due to global client certificate generation [1]
To avoid the error, need to change the default ttl to a reasonable value.
Changing the default value using juju config vault default-ttl=<reasonable value> has no effect on the unit since the unit is in failed state.

Workaround: to set the default-ttl using vault commands directly
$ vault secrets tune -default-lease-ttl=<reasonable value> charm-pki-local/

Is there a better way to set the default-ttl in this scenario instead of using vault commands?

[1] https://opendev.org/openstack/charm-vault/src/branch/master/src/reactive/vault_handlers.py#L801-L831

Revision history for this message
Edward Hope-Morley (hopem) wrote :
Changed in vault-charm:
assignee: nobody → Hemanth Nakkina (hemanth-n)
status: New → In Progress
milestone: none → 20.10
Revision history for this message
Edward Hope-Morley (hopem) wrote :

From what I can tell the origin of the code related to this issue is https://review.opendev.org/#/c/678161/. I am going to have a go a repro'ing the issue to make sure I understand the problem and solution.

Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

verified the submitted fix with the above reproducer script

David Ames (thedac)
Changed in vault-charm:
milestone: 20.10 → 21.01
Changed in vault-charm:
status: In Progress → Fix Committed
Revision history for this message
Hua Zhang (zhhuabj) wrote :

Backport patch submitted to stable/20.10 - https://review.opendev.org/#/c/761500/

Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Fix released in stable/20.10

David Ames (thedac)
Changed in vault-charm:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.