Consul template keeps refetching certificate on restart or reload

tsiamer · July 7, 2022, 5:45pm

Following this Special Note: This function uses the template file destination as a cache for the certificate to prevent Consul-Template from re-fetching it on reload or restart. This special behavior is to better work with Vault’s PKI behavior of always returning a new certificate even if the current one is still good. Using the destination file as a local “cache” allows Consul-Template to check for the certificate in that local file and, if found, parse it and checks it’s valid date range only fetching a new certificate if the local one has expired. It can only get re-populate the fields (Cert, CA, Key) if that data is in the file. Eg. If you don’t include the CA in the file the CA field will be blank when loading from cache. And note that you must include the Certificate itself in this file as it contains the TTL/expiration data,

{{ with pkiCert “pki/issue/my-domain-dot-com” “common_name=foo.example.com” }}
Certificate: {{ .Cert }}
Private Key: {{ .Key }}
Cert Authority: {{ .CA }}
{{ end }}

and have template saved as .txt it seem that the file is not honored and the cert keep getting generated, anyone experiencing this?

tsiamer · July 8, 2022, 7:20pm

Solution here if anyone is experiencing the same headache.

github.com/hashicorp/consul-template

Consul template ignoring rendered file, keeps generating certs at every reload or restart

opened 10:56AM - 08 Jul 22 UTC

Siamert

question

Please note that the Consul Template issue tracker is reserved for bug reports …and enhancements. For general usage questions, please use the Consul Community Portal or the Consul mailing list: https://discuss.hashicorp.com/c/consul https://groups.google.com/forum/#!forum/consul-tool Please try to simplify the issue as much as possible and include all the details to replicate it. The shorter and simpler the bug is to reproduce the quicker it can be addressed. Thanks. ### Consul Template version Run `consul-template -v` to show the version. If you are not running the latest version, please upgrade before submitting an issue. consul-template v0.29.1 (4525703) ### Configuration ```hcl # Copy-paste your configuration files here. Only include what is necessary or # what you've changed from defaults. Include all referenced configurations. ``` template { source = "/etc/consul-template.d/nginxcert.tpl" destination = "/etc/nginx/certs/nginx.crt" perms = 0755 command = "systemctl reload nginx" } template { source = "/etc/consul-template.d/nginxkey.tpl" destination = "/etc/nginx/certs/nginx_key" command = "systemctl reload nginx" } template { source = "/etc/consul-template.d/test.tpl" destination = "/etc/consul-template.d/pki_cert.rendered.txt" } ```liquid # Copy-paste your Consul Template template here ``` template.hcl nginxcert.tpl {{ with secret "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" }} {{ .Data.certificate }} {{ .Data.issuing_ca }}{{ end }} nginxkey.tpl {{ with secret "pki_int/issue/nginx" "common_name==foo.example.com" "ttl=200h"}} {{ .Data.private_key }}{{ end }} test.tpl {{- with pkiCert "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" -}} Certificate: {{ .Cert }} Private Key: {{ .Key }} Authority: {{ .CA }} {{ end }} ```liquid # Include sample data you reference in the template from Consul or Vault here. ``` ### Command ```shell # Place your Consul Template command here ``` ### Debug output Provide a link to a GitHub Gist containing the complete debug output by running with `-log-level=trace`. ### Expected behaviour From this https://github.com/hashicorp/consul-template/issues/1259 What should have happened? The rendered template file as a sort of cache for it, checking for template destination for a file on startup/reload and, if it finds one, loads the cert from there. If that certificate is still good it will use it, if it is expired or not there it will fetch a new one from Vault. ### Actual behavior Consul template is ignoring the rendered file "pki_cert.rendered.txt", the cert keep getting regenerated at every reload or restart What actually happened? The cert keeps getting regenerated. ### Steps to reproduce 1. Create the files as above 2. Restart consul template systemctl restart consul-template.service 3. nginx.crt and nginx.key getting regenerated and ignoring the generated file pki_cert.rendered.txt to be used as for the local cache. ### References Are there any other GitHub issues (open or closed) that should be linked here? For example: - GH-1234 - ...

Thanks to Inotsacred and eikenb - John Eikenberry.

Topic		Replies	Views
Questions on Consul Template and Vault PKI certificate rotations Vault k8s , consul-template , vault , consul	4	945	February 26, 2022
pkiCert with consul template and output to multiple files Vault	1	576	October 9, 2022
Using Consul-Template to update certificates for Consul with Vault as the CA Consul consul-template , vault	1	1205	June 22, 2020
Template stanza with vault PKI and reissuing certificates Nomad	2	280	July 25, 2023
Theory of operation question: Consul Template behavior when generating certificates with the Vault PKI API Consul consul-template , vault , consul	7	462	May 20, 2024

Consul template keeps refetching certificate on restart or reload

Related topics