- HTTP calls that list paths in the Vault have been switched to use the GET HTTP method for greater compatibility with proxies.
safe uuidis a new command that will generate a UUIDv4 and insert it into
the specified path at the Vault. (thanks @gerardocorea)
safe optionallows you to view and edit new safe CLI global options.
Currently, the only option is
manage_vault_token, which will have safe
change the .vault-token file that the Vault CLI uses. (thanks @daviddob)
safe versionsnow shows when versions in a KVv2 backend were created.
- The release binaries are now compiled with Go 1.16, up from Go 1.13. This means that these builds include the Go 1.15 x509 library changes that may cause certificates that relied on the target domain being in the Subject line (as opposed to the Subject Alternative Names) to be untrusted.
x509 reissuenow accept the
-sflags to update
subject alternative names and subjects respectively.
undeletenow treats not specifying a version to mean the latest version
cpgives a proper error when trying to perform copy all versions of a
specific version of a secret, which doesn't make any sense. (@daviddob)
x509 reissuenow properly reads in the key usage flags.
cpwill no longer panic when trying to copy a version of a secret which is
not the latest. (@daviddob)
safe auth statuscommand. It prints out information about the
current auth token.
safe auth status. It prints out said information
in a JSON format.
safe targets --jsonoutput now includes if the target expects
a Strongbox server to be present, and also the targeted Vault namespace,
safe authnow respects the
-Tflag when writing the token.
safe localno longer races with the Vault server actually listening on its endpoint, and will wait up to 5 seconds for it to begin listening.
- safe recognizes performance standbys as standbys for the purpose of
- safe now won't use namespaces when trying to interface with /sys/health or /sys/seal-status, because these result in unsupported path errors from Vault.
safe lsshould now work with more versions of Vault when listing the root.
safe env --jsonnow exposes VAULT_NAMESPACE
- x509 show now displays data encipherment as data encipherment and not data encupherment, which is definitely not data encipherment.
- safe local now has a --port flag; you can now manually set the port that
the local Vault listens on.
- safe x509 renew can now set new key usages for the renewed certificate.
- When using an SSH proxy, safe now handles the ssh
It can now handle when the
known_hostsfile is empty, and also safe now adds
newlines to lines that it adds.
- Better error response for unexpected HTML responses when the HTTP return code
- x509 commands now populate the x509 v3 extensions for authority key ID and
subject key ID.
Changes to Defaults
To comply with the expectations of Mac OS Catalina
about x509 certificates, some changes have been made to
some of the default flag values for
- The default TTL for non-CA's is now 2 years instead of 10 years.
- All certificates now have the default extended key usages of
client_auth. Previously, the default was to have no extended key usages. These defaults can be overridden by providing any key usages manually.
- For CA certificates, the
crl_signkey usages are provided by default. These defaults can be overridden by provided any key usages manually.
- Due to the fact that not specifying key usages to
x509 issuewill cause the default key usages and extended key usages to be used, the key usage spec
nowas added to allow the user to specify that they want no key usages on the certificate at all.
- Key usage strings provided on the command line are now case-insensitive.
generatewas added as a command alias to
- Updated help for
targetnot to say to use
-s=false. go-cli apparently won't
handle that syntax, and so it has been updated to suggest
x509 reissuenow declare the new expiry time in a more
- Commands that talk to Vault that receive non-JSON responses should now give a
more descriptive response. This could happen if you're targeting something
that isn't Vault, or, say, if a load balancer that should have passed traffic
through to Vault decided to respond as itself because of an error or
- Communications to Strongbox are now traced when debugging is turned on.
- You can no longer attempt to authenticate when you have no Vault targeted.
x509 validateused to fail if your certificate chain ended
with something that wasn't a PEM block (such as whitespace). Now, this will
not cause an error as long as one certificate was successfully found.
unsealwould not add a default port (80 and 443) the same way
that other commands did, which could cause connection refused errors for
these specific commands. That should be fixed now.
exporthad a usage line that had old flag names. The long help had the right
flags, but the short help did not. Now they both do.