vault-charm

  1. Series 1.7
  2. Bug #1947265
  3. Comment #5

Comment 5 for bug 1947265

Revision history for this message
Liam Young (gnuoy) wrote :

The destructive side-effect of the get-csr action is a result of the behaviour of vault not of the charm. This is noted here https://www.vaultproject.io/api-docs/secret/pki#generate-intermediate "This will overwrite any previously existing CA private key.". It can also been seen by interacting directly with the vault api:

juju run --unit vault/0 "leader-get local-charm-access-id"
f52eeaeb-da57-088b-c3e8-0e0437a01bd6

juju ssh vault/0
export VAULT_ADDR='http://127.0.0.1:8220'
export VAULT_TOKEN=$(vault write auth/approle/login role_id=f52eeaeb-da57-088b-c3e8-0e0437a01bd6 | awk '/token\s/ {print $NF}')

# Generating a certificate works:
vault write charm-pki-local/issue/local common_name="test-0.project.serverstack" ttl="24h"

# Generating a new csr:
vault write charm-pki-local/intermediate/generate/internal common_name="Vault Intermediate Authority"
Key Value
--- -----
csr -----BEGIN CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzElMCMGA1UEAxMcVmF1bHQgSW50ZXJtZWRpYXRlIEF1dGhv
cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmstpUShGX4DalT
fnopZJW3xq0TwraMXQReOmv3lvqE70XdszqqUP26KyMxvbc0WM9Qeqpa8QqeEAcx
N13qVCrbQb095cp5YkHBRflZvypnv80urJMkXzaKs895a8T0GI7xZ34RautVWxhU
ew3ryZCcWbRIX0wXMq+qv7lVZOTjNYgkGymHtjx8a4RNOSG9H4ZHFfaD/xUeC6Sv
/m0NGRiXKaFX43s1dcdcKLHfVwdXYGtHJEf3kCWJ1GpVrJy3i4RkDxg7ZVPXb2U1
ai3oM5coKBboRmUjJrUwVhENiy4whhe1hFZKBEqyXdagWeMCjvToo3m5i0fhn4y0
AndwJPsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQA0IMHQ5Uz1n84bgJDONxQ3
eG1kd37BAb6eDLZ3iVfyOIzVSZ7sV+liN9xn/StlY6JfRF+pVsXeHQlmctlrGsZp
4fmuIBSRlWSDzovLC2TeRF2cwawn73M0dRcij8B5Qh18oB4RVnuoNhtJ+hB8Iv6t
Uf8TwaO1NGza2VScNZ0b1/aBahgshltJFj+bSDxkJVUapMzd9E+MermgYRJT7dC4
au66KLrx1RYjO+2M34qe9V56cFbY9OrP0bA8Bc9c72IwznuvJEgsOYqsjGcZ+xZy
bZd0/Wa+2bWdkNt7uEGrlR8PkFsl5sisoO3k92AZaf1WLlHP3mkwFxN4iuT/I3fk
-----END CERTIFICATE REQUEST-----

# Generating a new certificate now fails:
ubuntu@juju-569389-20220216093413-2:~$ vault write charm-pki-local/issue/local common_name="test-0.project.serverstack" ttl="24h"
Error writing data to charm-pki-local/issue/local: Error making API request.

URL: PUT http://127.0.0.1:8220/v1/charm-pki-local/issue/local
Code: 500. Errors:

* 1 error occurred:
        * error fetching CA certificate: stored CA information not able to be parsed