vault daemon not reloaded when SSL cert changes #271

kbucheli · 2022-02-18T10:54:10Z

Actual behaviour

When I changed the TLS certificate of the the vault server, it did not automatically reload the vault daemon and thus failed the health check as it still used the old, not working cert:

TASK [vault : Vault SSL Certificate and Key] ***********************************************************************************************************************************************************************************************
changed: [vault.test.com] => (item={'src': 'tls/vault.test.com.crt.pem', 'dest': '/etc/vault/tls/vault.test.com.crt.pem', 'mode': '0644'})
ok: [vault.test.com] => (item={'src': 'tls/vault.test.com.key', 'dest': '/etc/vault/tls/vault.test.com.key', 'mode': '0600'})
ok: [vault.test.com] => (item={'src': 'tls/ca.crt', 'dest': '/etc/vault/tls/ca.crt', 'mode': '0644'})
...
TASK [vault : Vault API reachable?] ********************************************************************************************************************************************************************************************************
FAILED - RETRYING: Vault API reachable? (6 retries left).
FAILED - RETRYING: Vault API reachable? (5 retries left).
FAILED - RETRYING: Vault API reachable? (4 retries left).
FAILED - RETRYING: Vault API reachable? (3 retries left).
FAILED - RETRYING: Vault API reachable? (2 retries left).
FAILED - RETRYING: Vault API reachable? (1 retries left).
fatal: [vault.test.com]: FAILED! => {"attempts": 6, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 429, 472, 473, 501, 503]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>", "redirected": false, "status": -1, "url": "https://vault.test.com:10200/v1/sys/health"}

after a manual restart on the machine I got

TASK [vault : Vault SSL Certificate and Key] ***********************************************************************************************************************************************************************************************
ok: [vault.test.com] => (item={'src': 'tls/vault.test.com.crt.pem', 'dest': '/etc/vault/tls/vault.test.com.crt.pem', 'mode': '0644'})
ok: [vault.test.com] => (item={'src': 'tls/vault.test.com.key', 'dest': '/etc/vault/tls/vault.test.com.key', 'mode': '0600'})
ok: [vault.test.com] => (item={'src': 'tls/ca.crt', 'dest': '/etc/vault/tls/ca.crt', 'mode': '0644'})
...
TASK [vault : Vault API reachable?] ********************************************************************************************************************************************************************************************************
ok: [vault.test.com]

(The actual problem was that the first cert did not have the intermediate certs listed).

Expected behaviour

The vault daemon is restarted when one of the TLS certificate files changes.

Versions

ansible-vault role: current master branch (dddc74c)
ansible 2.10.8
OS: Ubuntu 21.10

The text was updated successfully, but these errors were encountered:

leosala · 2022-02-21T14:33:41Z

I would suggest putting a:

notify:
  - Restart vault
  - Reload vault

after

ansible-vault/tasks/tls.yml

Line 34 in dddc74c

when: vault_tls_copy_keys | bool

kbucheli mentioned this issue Mar 2, 2022

Reload on certificate changes #274

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vault daemon not reloaded when SSL cert changes #271

vault daemon not reloaded when SSL cert changes #271

kbucheli commented Feb 18, 2022

leosala commented Feb 21, 2022

vault daemon not reloaded when SSL cert changes #271

vault daemon not reloaded when SSL cert changes #271

Comments

kbucheli commented Feb 18, 2022

Actual behaviour

Expected behaviour

Versions

leosala commented Feb 21, 2022