vault-charm

root ca chain is not available when using self-signed certificates

Bug #2031116 reported by Matus Kosut on 2023-08-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	vault-charm	New	Undecided	Unassigned

Bug Description

I was debugging issue with charm-ceph-dashboard charm when application was not serving CA chain properly and causing trust issues.

When looking into the charm code I discovered a comment pointing back at vault configuration:

> A root ca chain is not always available. If configured to just use vault with self-signed certificates, you will not get a ca chain. Instead, you will get a CAClientError being raised. For now, use a bytes() object for the root_ca_chain as it shouldn't cause problems and if a ca_cert_chain comes later, then it will get updated.

https://opendev.org/openstack/charm-ceph-dashboard/src/commit/f5684e545d5263552ee548507ddda4db6b6bf73b/src/charm.py#L501

I tried to look into charm-vault code and tls-certificates relation, but haven't got much more understanding if/why is this an issue.

Could someone help explaining this and also is there any way to get ca chain working while using self-signed certificates?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.