🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
1- Follow the official documentation to configure step-ca in hashicorp vault ra mode:
https://smallstep.com/docs/step-ca/registration-authority-ra-mode/#hashicorp-vault-ra-mode
2- Use kubernetes auth type instead of approle auth type.
3- Generate some certificates using acme provisioner.
4- Wait for more than 1 hour: the one hour waiting time is for Vault's token to expire (ttl=3600s)
5- Generate some more certificates
Your Environment
Kubernetes 1.23
Expected Behavior
Smallstep automatically renew vault's token using SA token and the step 5- generates certificates as it did in step 3-
Actual Behavior
step 3- works fine but step 5- gets the following error:
"error finalizing order: error signing certificate for order MI2w0LKPq5RzfG97bWZFSb5gl44fDkrq: authority.Sign; error creating certificate: error signing certificate: Error making API request.\n\nURL: PUT https://vault-kubeshift.apps.okd.advatys.com/v1/pki/sign/rsa-role\nCode: 403. Errors:\n\n* permission denied" fields.time="2023-01-09T16:22:17Z" method=POST name=ca nonce=bnQ1WmdKaUZTQXR1bWRIWlJjanVMclFBNmd0bU96VHQ path=/acme/acme/order/MI2w0LKPq5RzfG97bWZFSb5gl44fDkrq/finalize protocol=HTTP/1.1 referer= remote-address=10.129.3.45 request-id=ceu3uedst9ns73a0em3g response="
Additional Context
Vault's token ttl=3600s
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Vault's client can't automatically reload a token provided by Vault's KubernetesAuthAuthMethod. So instead, we will need to load the token in our code and set the client token again when necessary.
Steps to Reproduce
1- Follow the official documentation to configure step-ca in hashicorp vault ra mode: https://smallstep.com/docs/step-ca/registration-authority-ra-mode/#hashicorp-vault-ra-mode 2- Use kubernetes auth type instead of approle auth type. 3- Generate some certificates using acme provisioner. 4- Wait for more than 1 hour: the one hour waiting time is for Vault's token to expire (ttl=3600s) 5- Generate some more certificates
Your Environment
Kubernetes 1.23
Expected Behavior
Smallstep automatically renew vault's token using SA token and the step 5- generates certificates as it did in step 3-
Actual Behavior
step 3- works fine but step 5- gets the following error: "error finalizing order: error signing certificate for order MI2w0LKPq5RzfG97bWZFSb5gl44fDkrq: authority.Sign; error creating certificate: error signing certificate: Error making API request.\n\nURL: PUT https://vault-kubeshift.apps.okd.advatys.com/v1/pki/sign/rsa-role\nCode: 403. Errors:\n\n* permission denied" fields.time="2023-01-09T16:22:17Z" method=POST name=ca nonce=bnQ1WmdKaUZTQXR1bWRIWlJjanVMclFBNmd0bU96VHQ path=/acme/acme/order/MI2w0LKPq5RzfG97bWZFSb5gl44fDkrq/finalize protocol=HTTP/1.1 referer= remote-address=10.129.3.45 request-id=ceu3uedst9ns73a0em3g response="
Additional Context
Vault's token ttl=3600s
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).