hashicorp
Vault issues expired certificates with leaf_not_after_behavior truncate
Describe the bug Vault issues expired certificates when the leaf_not_after_behavior is set to truncate and the default issuer in a pki has expired.
To Reproduce Steps to reproduce the behavior:
- Setup a vault pki with a given default issuer
- Let the default Issuer expire
- Request a certificate from the default issuer
This bug can be easily replicated with the following setup:
id=$(kubectl exec vault-0 -i -- vault list -format json pki/issuers | jq -r '.[0]') kubectl exec vault-0 -i -- vault write pki/issuer/$id leaf_not_after_behavior=truncate
With the err behavior, Vault errors because the cert's NotAfter goes beyond the issuer's. This prevents Vault from issuing when the CA has expired.
With truncate, Vault copies the NotAfter e.g.:
min(cert's NotAfter, CA's NotAfter)
Which leads to Vault issuing expired certificates.
Expected behavior Vault should not issue expired certificates with the truncate leaf_not_after_behavior.
Environment:
- Vault Server Version: 1.17.2
- Vault CLI Version: 1.17.2
- Server Operating System/Architecture: Kubernetes
Additional context This issue lead to a problem with cert-manager for us: https://github.com/cert-manager/cert-manager/issues/7741 But the original root cause seems to be in vault.
