remilapeyre
commented
4 years ago Hi @hongkongkiwi, we fetching a certificate the ACME provider will set the date after which the certificate must not be trusted. For example, Let'sEncrypt distributes certificates valid for 3 month. Vault will cache and return the certificate with a lease valid for up to 70% of its lifetime (this can be configured). When the client using the certificate see the lease will expire shortly, it needs to refresh the secret from Consul and Vault will contact the ACME provider to have a new certificate.
If your agent is well behaved, like consul-template or the Vault agent it should already look for the end of the lease and will contact Vault for a new cert when needed.
Does this answer your question?
hongkongkiwi
Quick question as I wasn't entirely clear....
Upon expiry will the certificate automatically be renewed with LetsEncrypt or does it require a "trigger" when the certificate is requested from Vault ?
As an example, in the database plugin the database user is automatically rolled upon expiry.