Vault

Hi,
I’m trying to get root-ca but it seems there is a problem with either juju or vault

ubuntu@juju:~$ juju run-action vault/leader --wait get-root-ca
unit-vault-0:
  UnitId: vault/0
  id: "91"
  results:
    Stderr: |
      All snaps up to date.
    Stdout: |
      lxc
      lxc
      active
      lxc
    output: None
  status: completed
  timing:
    completed: 2020-12-09 13:07:17 +0000 UTC
    enqueued: 2020-12-09 13:07:07 +0000 UTC
    started: 2020-12-09 13:07:10 +0000 UTC

As you can see the output is empty and root CA is not there although I can list secrets in vault.

ubuntu@juju-48d934-0-lxd-6:~$ vault secrets list
Path Type Accessor Description

---

charm-pki-local/ pki pki_424d8583 Charm created PKI backend
cubbyhole/ cubbyhole cubbyhole_4eebd0b8 per-token private secret storage
identity/ identity identity_e175e164 identity store
sys/ system system_3d81439b system endpoints used for control, policy and debugging
ubuntu@juju-48d934-0-lxd-6:~$

I also need to retrieve pki data in charm-pki-local path.

it seems there is an open bug here

When you run the command for the first time for self signed certificates juju run-action --wait vault/leader generate-root-ca the command gives output with certificate,you have to save that in a file so you can use it.
I also faced this issue,so when I deployed everything again I used above method and it’s working for me.
And when you source openrc file make sure your environmental variables are there with https.

So you mean I have to deploy openstack bundle again?

can’t I just delete and install vault machine?

try vault redeploy,if that does not work then you can redeploy bundle.

ok so is there a command to redeploy an application or I have to delete and deploy it manually?

remove the machine and re add it.
#juju remove-machine --force
#wait for minute
#juju add-unit vault --to machine-id:lxd

Thank you so much, I did the same, and waiting to install the charm.

I want to share something with you and others .

if you are following the setup from https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/ussuri/app-certificate-management.html

Please be aware of the following situation which made me search a lot.

I think In my case after I run “juju run-action --wait vault/leader generate-root-ca”, I have also run the next command which is " juju run-action vault/0 get-csr" but I did not upload signed csr so as result it might delete the previous generated root-ca , I’m not sure but as I could see my vault does not have root-ca , I guess vault server did not neither have a self-signed generated CA by vault nor uploaded one by myself.

So with this situation I went through fixing the problem by removing and adding vault machine but it did not work actually.

In this case I lost my unseal keys and could not unseal vault. because I have saved them in my vault machine as text file.
I found out I have to reinitialize the vault server but in advanced had to delete backend storage which is mysql

as a work around I logged into vault machine with juju ssh vault/0 and installed mysql-client

if you cat this file you’ll find database credentials.

sudo cat /var/snap/vault/common/vault.hcl

login to mysql server with the following pattern.

mysql -u vault -p vault -h 127.0.0.1

enter the password and drop the vault database.

drop database vault;
exit

then restart vault server , systemctl restart vault.

so now you can re initialize vault and get new keys and go on the rest of work.

vault operator init -key-shares=5 -key-threshold=3

and do the rest yourself.

Maybe a little late to the party. Ran into this today.

Didn’t see the you are done message and went on to request a CSR like in the tutorial. This deletes the CA and prepares Vault for the upload of an intermediate from an offline CA.

Fix:

juju run-action --wait vault/leader disable-pki

This should disable the PKI engine.

After, generate the self signed root ca again:

juju run-action --wait vault/leader generate-root-ca