Juju run-action vault/0 --wait reissue-certificates

Dear all,

I read all the docs and browse through all possible forums, and I found out also here that:

Vault does not currently support automatic renewal of the certificates that it generates, but you can easily renew the certificates for the entire cluster with:

juju run-action vault/0 --wait reissue-certificates

I tried it but certificate did not changed. There are still the same certs in /root/cdk, no change has been made. I also tried to use another units of Vault (I have HA 3 nodes setup) but no change.

Is there anything I missed?

I’m using k8s 1.22.11, Juju 2.9.28-ubuntu-amd64, Ubuntu 20.04 LTS

Thank you

Hi @alex. Thank you for the question.

Does the action output show any errors? And do you see errors if you run juju debug-log --replay?

@billy-olsen is there anything to watch for when running the reissue-certificates action?

Thank you for your reply. No, there was nothing special, just messages that certificats were created but files in /root/cdk were not changed at all.

Hmmm. It sounds like the vault charm might be swallowing an error.

If I were to troubleshoot this in my own setup, I’d probably try to grab a shell on the unit, and inspect system logs and dbus logs. It’s possible that the writes are failing due to a full disk, or some other system level problem.

@billy-olsen ping on the comment about vault possibly being incautious in smooshing an error. (Apologies if my assumption is unfair.)

The first thing that comes to mind is bug 1940549 which revealed a problem with the certificate management across multiple units. Unfortunately the patch that was proposed for the current release, was just reverted as it causes a problem on deployment. We’re actively working to fix the problem.

It has a bit of an ugly work around identified, but hoping to get this resolved ASAP.