Skip to content

@starkandwayne-bot starkandwayne-bot released this May 24, 2021

Improvements

  • HTTP calls that list paths in the Vault have been switched to use the GET HTTP method for greater compatibility with proxies.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Mar 29, 2021

New Features

  • safe uuid is a new command that will generate a UUIDv4 and insert it into
    the specified path at the Vault. (thanks @gerardocorea)
  • safe option allows you to view and edit new safe CLI global options.
    Currently, the only option is manage_vault_token, which will have safe
    change the .vault-token file that the Vault CLI uses. (thanks @daviddob)

Improvements

  • safe versions now shows when versions in a KVv2 backend were created.

Miscellaneous

  • The release binaries are now compiled with Go 1.16, up from Go 1.13. This means that these builds include the Go 1.15 x509 library changes that may cause certificates that relied on the target domain being in the Subject line (as opposed to the Subject Alternative Names) to be untrusted.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Jan 20, 2021

New Features

  • x509 renew and x509 reissue now accept the -n and -s flags to update
    subject alternative names and subjects respectively.
  • undelete now treats not specifying a version to mean the latest version
    (@daviddob)
  • cp gives a proper error when trying to perform copy all versions of a
    specific version of a secret, which doesn't make any sense. (@daviddob)

Bug Fixes

  • x509 reissue now properly reads in the key usage flags.
  • cp will no longer panic when trying to copy a version of a secret which is
    not the latest. (@daviddob)
Assets 5

@starkandwayne-bot starkandwayne-bot released this Oct 2, 2020

New Features

  • Added safe auth status command. It prints out information about the
    current auth token.
  • Added --json flag to safe auth status. It prints out said information
    in a JSON format.

Improvements

  • safe targets --json output now includes if the target expects
    a Strongbox server to be present, and also the targeted Vault namespace,
    if any.

Bug Fixes

  • safe auth now respects the -T flag when writing the token.
  • safe local no longer races with the Vault server actually listening on its endpoint, and will wait up to 5 seconds for it to begin listening.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Jul 2, 2020

Bug Fixes

  • safe recognizes performance standbys as standbys for the purpose of safe status.
  • safe now won't use namespaces when trying to interface with /sys/health or /sys/seal-status, because these result in unsupported path errors from Vault.
  • safe ls should now work with more versions of Vault when listing the root.
  • safe env --json now exposes VAULT_NAMESPACE
  • x509 show now displays data encipherment as data encipherment and not data encupherment, which is definitely not data encipherment.
Assets 5

@starkandwayne-bot starkandwayne-bot released this May 13, 2020

Improvements

  • safe local now has a --port flag; you can now manually set the port that
    the local Vault listens on.
Assets 5

@starkandwayne-bot starkandwayne-bot released this May 4, 2020

Improvements

  • safe x509 renew can now set new key usages for the renewed certificate.
  • When using an SSH proxy, safe now handles the ssh known_hosts file better.
    It can now handle when the known_hosts file is empty, and also safe now adds
    newlines to lines that it adds.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Mar 17, 2020

Improvements

  • Better error response for unexpected HTML responses when the HTTP return code
    is non-2xx
  • x509 commands now populate the x509 v3 extensions for authority key ID and
    subject key ID.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Mar 6, 2020

Changes to Defaults

To comply with the expectations of Mac OS Catalina
about x509 certificates, some changes have been made to
some of the default flag values for x509 issue.

  • The default TTL for non-CA's is now 2 years instead of 10 years.
  • All certificates now have the default extended key usages of server_auth and client_auth. Previously, the default was to have no extended key usages. These defaults can be overridden by providing any key usages manually.
  • For CA certificates, the key_cert_sign and crl_sign key usages are provided by default. These defaults can be overridden by provided any key usages manually.

New Features

  • Due to the fact that not specifying key usages to x509 issue will cause the default key usages and extended key usages to be used, the key usage spec no was added to allow the user to specify that they want no key usages on the certificate at all.

Improvements

  • Key usage strings provided on the command line are now case-insensitive.
  • generate was added as a command alias to gen.

Bug Fixes

  • Updated help for target not to say to use -s=false. go-cli apparently won't
    handle that syntax, and so it has been updated to suggest --no-strongbox for the
    same functionality.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Feb 26, 2020

Improvements

  • x509 renew and x509 reissue now declare the new expiry time in a more
    human-readable format.
  • Commands that talk to Vault that receive non-JSON responses should now give a
    more descriptive response. This could happen if you're targeting something
    that isn't Vault, or, say, if a load balancer that should have passed traffic
    through to Vault decided to respond as itself because of an error or
    misconfiguration.
  • Communications to Strongbox are now traced when debugging is turned on.

Bug Fixes

  • You can no longer attempt to authenticate when you have no Vault targeted.
  • x509 show and x509 validate used to fail if your certificate chain ended
    with something that wasn't a PEM block (such as whitespace). Now, this will
    not cause an error as long as one certificate was successfully found.
  • seal and unseal would not add a default port (80 and 443) the same way
    that other commands did, which could cause connection refused errors for
    these specific commands. That should be fixed now.
  • export had a usage line that had old flag names. The long help had the right
    flags, but the short help did not. Now they both do.
Assets 5