ansible-vault icon indicating copy to clipboard operation
ansible-vault copied to clipboard

Published 20 hours ago verified publisher icon ansible-community

vault daemon not reloaded when SSL cert changes

Open kbucheli opened this issue 3 years ago • 1 comments

Actual behaviour

When I changed the TLS certificate of the the vault server, it did not automatically reload the vault daemon and thus failed the health check as it still used the old, not working cert:

TASK [vault : Vault SSL Certificate and Key] ***********************************************************************************************************************************************************************************************
changed: [vault.test.com] => (item={'src': 'tls/vault.test.com.crt.pem', 'dest': '/etc/vault/tls/vault.test.com.crt.pem', 'mode': '0644'})
ok: [vault.test.com] => (item={'src': 'tls/vault.test.com.key', 'dest': '/etc/vault/tls/vault.test.com.key', 'mode': '0600'})
ok: [vault.test.com] => (item={'src': 'tls/ca.crt', 'dest': '/etc/vault/tls/ca.crt', 'mode': '0644'})
...
TASK [vault : Vault API reachable?] ********************************************************************************************************************************************************************************************************
FAILED - RETRYING: Vault API reachable? (6 retries left).
FAILED - RETRYING: Vault API reachable? (5 retries left).
FAILED - RETRYING: Vault API reachable? (4 retries left).
FAILED - RETRYING: Vault API reachable? (3 retries left).
FAILED - RETRYING: Vault API reachable? (2 retries left).
FAILED - RETRYING: Vault API reachable? (1 retries left).
fatal: [vault.test.com]: FAILED! => {"attempts": 6, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 429, 472, 473, 501, 503]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>", "redirected": false, "status": -1, "url": "https://vault.test.com:10200/v1/sys/health"}

after a manual restart on the machine I got

TASK [vault : Vault SSL Certificate and Key] ***********************************************************************************************************************************************************************************************
ok: [vault.test.com] => (item={'src': 'tls/vault.test.com.crt.pem', 'dest': '/etc/vault/tls/vault.test.com.crt.pem', 'mode': '0644'})
ok: [vault.test.com] => (item={'src': 'tls/vault.test.com.key', 'dest': '/etc/vault/tls/vault.test.com.key', 'mode': '0600'})
ok: [vault.test.com] => (item={'src': 'tls/ca.crt', 'dest': '/etc/vault/tls/ca.crt', 'mode': '0644'})
...
TASK [vault : Vault API reachable?] ********************************************************************************************************************************************************************************************************
ok: [vault.test.com]

(The actual problem was that the first cert did not have the intermediate certs listed).

Expected behaviour

The vault daemon is restarted when one of the TLS certificate files changes.

Versions

  • ansible-vault role: current master branch (dddc74c)
  • ansible 2.10.8
  • OS: Ubuntu 21.10

kbucheli avatar Feb 18 '22 10:02 kbucheli

I would suggest putting a:

notify:
  - Restart vault
  - Reload vault

after https://github.com/ansible-community/ansible-vault/blob/dddc74c0fc447205664424438d72d6e2f9397f2d/tasks/tls.yml#L34

leosala avatar Feb 21 '22 14:02 leosala