Consul template keeps refetching certificate on restart or reload

Following this Special Note: This function uses the template file destination as a cache for the certificate to prevent Consul-Template from re-fetching it on reload or restart. This special behavior is to better work with Vault’s PKI behavior of always returning a new certificate even if the current one is still good. Using the destination file as a local “cache” allows Consul-Template to check for the certificate in that local file and, if found, parse it and checks it’s valid date range only fetching a new certificate if the local one has expired. It can only get re-populate the fields (Cert, CA, Key) if that data is in the file. Eg. If you don’t include the CA in the file the CA field will be blank when loading from cache. And note that you must include the Certificate itself in this file as it contains the TTL/expiration data,

{{ with pkiCert “pki/issue/my-domain-dot-com” “” }}
Certificate: {{ .Cert }}
Private Key: {{ .Key }}
Cert Authority: {{ .CA }}
{{ end }}

and have template saved as .txt it seem that the file is not honored and the cert keep getting generated, anyone experiencing this?

Solution here if anyone is experiencing the same headache.

Thanks to Inotsacred and eikenb - John Eikenberry.

1 Like