When reissue-certificates fails, status will become in "error", and can not change configuration

When you run an action reissue-certificates with an inappropriate default-ttl, you will get the following ERROR.

$ juju run-action --wait vault/leader reissue-certificates
unit-vault-0:
  UnitId: vault/0
  id: "14"
  message: 'lib.charm.vault.VaultInvalidRequest: cannot satisfy request, as TTL would
    result in notAfter 2020-08-08T15:24:16.931003626Z that is beyond the expiration
    of the CA certificate at 2020-08-08T05:16:06Z'
  results:
    Stderr: |
      All snaps up to date.
    Stdout: |
      none
      none
      active
  status: failed
  timing:
    completed: 2020-07-09 05:24:17 +0000 UTC
    enqueued: 2020-07-09 05:24:09 +0000 UTC
    started: 2020-07-09 05:24:13 +0000 UTC

This error is correct, since the CA certificate will expire sooner than the date you will have for reissued certificates.
So the next step should be either
1. adjust the default-ttl to a shorter period of time
2. renew the root CA(upload-signed-csr or generate-root-ca) with the expected date

However, for #1, since the status of vault keeps sitting in error state, the following command doesn't take any effect.

$ juju config vault default-ttl=xxxh

Therefore you can not reissue the certificates with the desired TTL anymore. In order to update the default-ttl, you will need to run the vault CLI directly.

$ vault secrets tune -default-lease-ttl=xxxh charm-pki-local/

After this, reissue-certificates will successfully complete.