vault-charm

ssl cert update doesn't restart vault

Bug #1912261 reported by Arif Ali
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
vault-charm
Fix Committed
Undecided
Samuel Allan

Bug Description

When updating the ssl certificates using the method below, we would expect vault to restart, so that vault status would use the new key

    juju config vault \
 ssl-cert="$(base64 servercert.pem)" \
 ssl-ca="$(base64 cacert.pem)" \
 ssl-key="$(base64 serverkey.pem)"

However, we get the following error instead, showing that the certificate has actually expired

    Error checking seal status: Get https://10.0.1.211:8200/v1/sys/seal-status: x509: certificate has expired or is not yet valid

The workaround is to restart vault, which will then pick up the new certs

It is understood that vault shouldn't restart automatically, but at minimum juju status output should notify the user that a restart is required for the certs be reflected in the current running environment.

Samuel Allan (samuelallan)
Changed in vault-charm:
status: New → In Progress
assignee: nobody → Samuel Walladge (swalladge)
Revision history for this message
Samuel Allan (samuelallan) wrote (last edit ):

patch: https://review.opendev.org/c/openstack/charm-vault/+/846235

(This proposed fix works by automatically triggering vault to reload, which will reload the certificate files. So we can get the best of both worlds here: automatic and doesn't reseal vault.)

Revision history for this message
Samuel Allan (samuelallan) wrote :

> It is understood that vault shouldn't restart automatically

Note that this doesn't seem to be the case - the charm will already restart vault automatically if any templated config file changed during updating configuration.

Revision history for this message
Nobuto Murata (nobuto) wrote :

Subscribing ~field-medium.

Revision history for this message
Nobuto Murata (nobuto) wrote :

For the record, I've tested the patchset 5 in https://review.opendev.org/c/openstack/charm-vault/+/846235/5 (reload strategy) and confirmed it's working as expected on reloading the new cert.

Here is how I tested:

[current charm]

1. deploy Vault with ssl-cert, ssl-key (and optionally ssl-chain or ssl-ca)
2. check the valid date of the cert

$curl -ksv https://localhost:8200/ |& grep 'expire date:'
* expire date: Apr 5 06:24:57 2021 GMT

3. upload a new cert/key with charm configs
4. check the valid date again

$ curl -ksv https://localhost:8200/ |& grep 'expire date:'
* expire date: Apr 5 06:24:57 2021 GMT
-> unchanged

[proposed charm]

3. upload a new cert/key with charm configs

$ juju config vault \
  ssl-cert="$(cat cert9.pem| base64)" \
  ssl-key="$(cat privkey9.pem| base64)" \
  ssl-chain="$(cat chain9.pem| base64)"

4. check the valid date again

curl -ksv https://localhost:8200/ |& grep 'expire date:'
* expire date: Jul 31 09:15:51 2022 GMT
-> updated as expected

5. double check Vault is unsealed still

$ vault status | grep Sealed
Sealed false
-> unsealed as expected since there was only reload of the service instead of restart.

Samuel Allan (samuelallan)
Changed in vault-charm:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.