vault-charm

default-ttl is not applied for the initially created certificates

Bug #1867847 reported by Yoshi Kadokawa on 2020-03-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	vault-charm	Triaged	Low	Unassigned

Bug Description

With the following example bundle, I have set the default-ttl to 43800 hours, which is 5 years,
however certificate in keystone will be created with an expiration date for 1 year.

series: bionic
applications:
  keystone:
    charm: cs:keystone
    num_units: 1
    options:
      worker-multiplier: 0.1
      os-admin-hostname: keystone-admin.test
      os-internal-hostname: keystone-internal.test
      os-public-hostname: keystone.test
  mysql:
    charm: cs:percona-cluster
    num_units: 1
    options:
      innodb-buffer-pool-size: 256M
      performance-schema: True
      max-connections: 1000
  vault:
    charm: cs:vault
    num_units: 1
    options:
      auto-generate-root-ca-cert: true
      totally-unsecure-auto-unlock: true
      default-ttl: 43800h

relations:
  - [ keystone, mysql ]
  - [ "vault:shared-db", "mysql:shared-db"]
  - ["vault:certificates", "keystone:certificates"]

The bundle uses totally-unsecure-auto-unlock as True, but I have also tested with the proper unsealing process, and I will still see the same issue.

The workaround, for now, is to run the following after deployment is completed.

$ juju run-action --wait vault/leader reissue-certificates

Aurelien Lourot (aurelien-lourot) on 2020-04-20

Changed in vault-charm:
importance:	Undecided → Low
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.