When reissue-certificates fails, status will become in "error", and can not change configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vault-charm |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When you run an action reissue-
$ juju run-action --wait vault/leader reissue-
unit-vault-0:
UnitId: vault/0
id: "14"
message: 'lib.charm.
result in notAfter 2020-08-
of the CA certificate at 2020-08-
results:
Stderr: |
All snaps up to date.
Stdout: |
none
none
active
status: failed
timing:
completed: 2020-07-09 05:24:17 +0000 UTC
enqueued: 2020-07-09 05:24:09 +0000 UTC
started: 2020-07-09 05:24:13 +0000 UTC
This error is correct, since the CA certificate will expire sooner than the date you will have for reissued certificates.
So the next step should be either
1. adjust the default-ttl to a shorter period of time
2. renew the root CA(upload-
However, for #1, since the status of vault keeps sitting in error state, the following command doesn't take any effect.
$ juju config vault default-ttl=xxxh
Therefore you can not reissue the certificates with the desired TTL anymore. In order to update the default-ttl, you will need to run the vault CLI directly.
$ vault secrets tune -default-
After this, reissue-
Changed in vault-charm: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → 20.08 |
Changed in vault-charm: | |
milestone: | 20.08 → none |
Changed in vault-charm: | |
status: | Triaged → Fix Committed |
milestone: | none → 21.01 |
Changed in vault-charm: | |
status: | Fix Committed → Fix Released |
The following patch should fix the issue /review. opendev. org/#/c/ 755276/
https:/