Vault + External Lets Encrypt domain cert

Hej,

I’m trying to understand how Vault charm operates, and if it’s capable of using a domain certificate obtained by an external device.

As I understood the documentation, the vault charm can operate in two modes. 1) the self-signed (generate-root-ca). Or, 2) using a signed-csr. The second approach, that requires us to download the csr from the vault, have it signed, then upload the signed information back to the Vault.

In my scenario, I have an external device that obtains a domain certificate from Let’s Encrypt. This is distributed to several nodes in the domain. I’d also like to use the same certificate in the vault. So, that all services under that domain have the same certificate. (+ having a certificate signed in my organization will take days, or longer).

AFAIK, a standard vault would have no problems storing the information [1]. But in the Vault charm, just storing the data isn’t enough right? It has to be stored so that the ‘users/clients’ of the charm can obtain the certificates, in the form required by each ‘user/client’.

So, is possible, to upload use an existing Let’s Encrypt domain certificate, and have Vault distribute it to its clients?

BR/Patrik

[1] https://developer.epages.com/blog/tech-stories/managing-lets-encrypt-certificates-in-vault/

I don’t believe so. Vault needs to have its generated CSR signed. Let me ask around to see if the ability to use external certificates could be be supported in the future.

Is there any update to this topic ? Would love to hear about that

The only way to use an existing certificate is to assign it to a service via its corresponding charm. This is done by using that charm’s ssl-related options. See the glance charm for an example. Takeaway: Vault is not involved here and each service needs its own certificate.

Thanks for your reply, then i think than it would be more convenient to put a reverse proxy infront the the dashboard for example.