New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`SIGHUP` does not reload certificates in `Vault v0.10.3` #5442

Closed
v6 opened this Issue Oct 2, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@v6
Contributor

v6 commented Oct 2, 2018

Describe the bug
SIGHUP does not reload certificates in Vault v0.10.3 ('c69ae68faf2bf7fc1d78e3ec62655696a07454c7').

To Reproduce
Steps to reproduce the behavior:

  1. Set up a Vault server to use a TCP listener with TLS with the Certificate /etc/ssl/vault/vault_certificate.crt and the Key /etc/ssl/vault/vault_key.key.
  2. Start the Vault server.
  3. Tail system logs
  4. Replace Certificate /etc/ssl/vault/vault_certificate.crt and the Key /etc/ssl/vault/vault_key.key with a new, valid Certificate and Key set.
  5. Run pkill -1 vault
  6. Check for ... ==> Vault reload triggered, e.g. Oct 01 20:29:21 azwus-dev-vault.digitalonus.com vault[54493]: ==> Vault reload triggered
  7. Check for any changed certificates presented in Vault UI and curl responses, as they should be, according to https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#052-march-16th-2016 and https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cert_file .
  8. Note their absence.
  9. Raise eyebrow.
  10. File bug report in case it's something that doesn't just affect me.

Expected behavior

I expected Vault to present the new cert.

Environment:

  • Vault Server Version (retrieve with vault status): 0.10.3
  • Vault CLI Version (retrieve with vault version): Vault v0.10.3 ('c69ae68faf2bf7fc1d78e3ec62655696a07454c7')
  • Server Operating System/Architecture: 64-bit CEntOS 7

Vault server configuration file(s):

backend "consul" {
  address = "227.40.180.11:18500"
  path    = "vault/"
}
listener "tcp" {
  address     = "10.0.0.2:18200"
  tls_disable = "false"
  tls_min_version = "tls12"
  tls_cert_file = "/etc/ssl/vault/vault_certificate.crt"
  tls_key_file = "/etc/ssl/vault/vault_key.key"
  tls_disable_client_certs = true
}
ui = true

Additional context

systemctl restart vault, on the other hand, reloads the certificate like a charm.

I checked the changelog, and it doesn't look like anyone's had a bug with this. I'm hoping it's just a one-off, and doesn't affect the overall product. But if it does, and it reproduces on your end, let me know.

I can also try this in a later version of Vault, if needed.

@v6 v6 changed the title from `SIGHUP` does not reload certificates in `Vault v0.10.3` to // , `SIGHUP` does not reload certificates in `Vault v0.10.3` Oct 2, 2018

@jefferai jefferai closed this Oct 2, 2018

@jefferai jefferai reopened this Oct 2, 2018

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Oct 2, 2018

Member

NM, closed because I read incorrectly.

Member

jefferai commented Oct 2, 2018

NM, closed because I read incorrectly.

@jefferai jefferai changed the title from // , `SIGHUP` does not reload certificates in `Vault v0.10.3` to `SIGHUP` does not reload certificates in `Vault v0.10.3` Oct 2, 2018

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Oct 2, 2018

Member

Works for me; note the changed serial number:

$ openssl s_client -connect 127.0.0.1:8202 -showcerts | openssl x509 -noout -text
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 67427860021386559 (0xef8d480c8a1d3f)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = localhost
        Validity
            Not Before: Oct  2 15:34:23 2018 GMT
            Not After : Oct  2 03:34:53 2048 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:08:db:c4:a2:94:43:05:20:f0:9b:a8:e1:09:e6:
                    36:0f:4b:71:68:f4:d7:78:43:f7:ac:0c:0c:05:63:
                    bb:e4:4f:73:f4:0f:2e:8b:29:5c:4c:2d:24:f3:43:
                    a2:15:94:68:56:ac:88:17:83:68:35:20:6d:ba:1c:
                    7a:21:8b:27:35
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:77:b8:05:96:87:12:f2:cc:3a:48:2a:24:5c:3f:
         84:3b:8d:eb:7e:fb:5a:19:e6:f9:0b:61:b9:9c:2f:46:31:cb:
         02:20:0e:ee:ef:5c:71:cd:12:e7:ab:37:cf:54:06:68:50:6d:
         de:14:b6:7a:74:bd:59:94:48:3a:73:3b:77:98:90:d0

$ cp node2_port_8201_cert.pem cert.pem
$ cp node2_port_8201_key.pem key.pem
$ pkill -HUP vault
$ openssl s_client -connect 127.0.0.1:8202 -showcerts | openssl x509 -noout -text
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2086526454386313985 (0x1cf4d4c16026cb01)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = localhost
        Validity
            Not Before: Oct  2 15:34:23 2018 GMT
            Not After : Oct  2 03:34:53 2048 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:5d:3d:86:8e:11:56:09:34:e8:17:0b:7e:17:38:
                    05:64:35:d7:fc:57:28:18:61:6c:50:c9:1b:24:9e:
                    53:2b:98:7a:8f:11:38:a3:59:7f:ef:84:92:f6:e5:
                    b9:6b:8a:63:15:ad:af:81:e3:0a:d7:17:d5:a6:ed:
                    e5:2c:b0:de:c6
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:a1:b8:1a:ff:bf:57:99:1e:7e:45:f8:6b:97:
         ff:62:05:60:47:a9:57:00:5f:14:a5:c5:6f:8e:c4:7d:f0:5d:
         e7:02:21:00:bb:87:44:9f:1e:93:4f:69:31:2d:e3:44:7f:be:
         8c:05:9c:f9:5e:ba:20:3c:3a:75:91:33:9a:fa:78:ed:55:1f
Member

jefferai commented Oct 2, 2018

Works for me; note the changed serial number:

$ openssl s_client -connect 127.0.0.1:8202 -showcerts | openssl x509 -noout -text
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 67427860021386559 (0xef8d480c8a1d3f)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = localhost
        Validity
            Not Before: Oct  2 15:34:23 2018 GMT
            Not After : Oct  2 03:34:53 2048 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:08:db:c4:a2:94:43:05:20:f0:9b:a8:e1:09:e6:
                    36:0f:4b:71:68:f4:d7:78:43:f7:ac:0c:0c:05:63:
                    bb:e4:4f:73:f4:0f:2e:8b:29:5c:4c:2d:24:f3:43:
                    a2:15:94:68:56:ac:88:17:83:68:35:20:6d:ba:1c:
                    7a:21:8b:27:35
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:77:b8:05:96:87:12:f2:cc:3a:48:2a:24:5c:3f:
         84:3b:8d:eb:7e:fb:5a:19:e6:f9:0b:61:b9:9c:2f:46:31:cb:
         02:20:0e:ee:ef:5c:71:cd:12:e7:ab:37:cf:54:06:68:50:6d:
         de:14:b6:7a:74:bd:59:94:48:3a:73:3b:77:98:90:d0

$ cp node2_port_8201_cert.pem cert.pem
$ cp node2_port_8201_key.pem key.pem
$ pkill -HUP vault
$ openssl s_client -connect 127.0.0.1:8202 -showcerts | openssl x509 -noout -text
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2086526454386313985 (0x1cf4d4c16026cb01)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = localhost
        Validity
            Not Before: Oct  2 15:34:23 2018 GMT
            Not After : Oct  2 03:34:53 2048 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:5d:3d:86:8e:11:56:09:34:e8:17:0b:7e:17:38:
                    05:64:35:d7:fc:57:28:18:61:6c:50:c9:1b:24:9e:
                    53:2b:98:7a:8f:11:38:a3:59:7f:ef:84:92:f6:e5:
                    b9:6b:8a:63:15:ad:af:81:e3:0a:d7:17:d5:a6:ed:
                    e5:2c:b0:de:c6
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:0:0:0:0:0:0:0:1, IP Address:127.0.0.1, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:a1:b8:1a:ff:bf:57:99:1e:7e:45:f8:6b:97:
         ff:62:05:60:47:a9:57:00:5f:14:a5:c5:6f:8e:c4:7d:f0:5d:
         e7:02:21:00:bb:87:44:9f:1e:93:4f:69:31:2d:e3:44:7f:be:
         8c:05:9c:f9:5e:ba:20:3c:3a:75:91:33:9a:fa:78:ed:55:1f
@v6

This comment has been minimized.

Show comment
Hide comment
@v6

v6 Oct 2, 2018

Contributor

// , OK, guess it's just me then. Thanks for checking it, sorry for noise

Contributor

v6 commented Oct 2, 2018

// , OK, guess it's just me then. Thanks for checking it, sorry for noise

@jefferai

This comment has been minimized.

Show comment
Hide comment
@jefferai

jefferai Oct 3, 2018

Member

No problem. Respond back if you think it needs to be reopened!

Member

jefferai commented Oct 3, 2018

No problem. Respond back if you think it needs to be reopened!

@jefferai jefferai closed this Oct 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment