Vault issues expired certificates with leaf_not_after_behavior truncate #30621
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Describe the bug
Vault issues expired certificates when the leaf_not_after_behavior is set to truncate and the default issuer in a pki has expired.
To Reproduce
Steps to reproduce the behavior:
This bug can be easily replicated with the following setup:
id=$(kubectl exec vault-0 -i -- vault list -format json pki/issuers | jq -r '.[0]') kubectl exec vault-0 -i -- vault write pki/issuer/$id leaf_not_after_behavior=truncateWith the err behavior, Vault errors because the cert's NotAfter goes beyond the issuer's. This prevents Vault from issuing when the CA has expired.
With truncate, Vault copies the NotAfter e.g.:
min(cert's NotAfter, CA's NotAfter)Which leads to Vault issuing expired certificates.
Expected behavior
Vault should not issue expired certificates with the truncate leaf_not_after_behavior.
Environment:
Additional context
This issue lead to a problem with cert-manager for us: cert-manager/cert-manager#7741
But the original root cause seems to be in vault.
The text was updated successfully, but these errors were encountered: