Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault PKI will stop providing certificates when the CA has less than 90 days to expire #500

Closed
saltiyazan opened this issue Sep 20, 2024 · 0 comments · Fixed by #506
Closed

Vault PKI will stop providing certificates when the CA has less than 90 days to expire #500

saltiyazan opened this issue Sep 20, 2024 · 0 comments · Fixed by #506
Labels
bug Something isn't working

Comments

@saltiyazan
Copy link
Contributor

saltiyazan commented Sep 20, 2024
edited
Loading

Bug Description

Vault by default will have 90 days asa validity for the certificates signed using PKI. Vault will also prevent the issuer from signing certificates that would outlive the CA cert of the issuer, therefore the issuer won't provide any certificates when it is 90 days or less to its expiry as the charm currently doesn't renew the issuer before that period.

To Reproduce

  1. Deploy Vault
  2. Deploy self signed certs
  3. configure self signed certs to use short validity times
  4. Integrate both charm
  5. Deploy a requirer
  6. Integrate the requirer with Vault
  7. Observer the issue when the CA has not yet expired but entered the period described above (by default this should happen right away as the charm relies on the default ttl of issued certificates)

Environment

Not relevant

Relevant log output

cannot satisfy request, as TTL would result in notAfter <date and time> that is beyond the expiration of the CA certificate at <date and time>

Additional context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Makes sure there always is an active issuer in Vault PKI canonical/vault-k8s-operator
1 participant
@saltiyazan