How to use pkiCert with Vault agent template?

brucellino1 · September 6, 2022, 5:17am

Hello all!

Vault and consul-template details

consul-template v0.29.2 (06389a3)
Vault v1.11.3 (17250b25303c6418c283c95b1d5a9c9f16174fe8), built 2022-08-26T10:27:10Z

I would like to have Vault Agent issue a a certificate to each of the machines which can authenticate via AppRole, but I’m having trouble writing the data in the correct places - I wonder if I’m going about this wrong.

My use case is:

Intermediate CA set up to issue PKI certs with a given role. Root CA is also in the same vault.
Vault Agent installed and configured on machines, with a pre-distributed role-id allowing them to authenticate via the “pull” secret-id method.
several vault agent templates describing what data to watch and where to write secret.
1. ca.ctmpl → writes {{ .Data.ca_certificate }}
2. cert.ctmpl → writes {{ .Data.certificate }}
3. key.ctmpl → writes {{ .Data.private_key }}

I originally used a {{ with secret "<intermediate ca path>/issue/<role>" }} which worked ok, but issued too many certs, perhaps because three templates meant three calls to Vault.

I noted that the version of Vault which I’m using supports pkiCert secret types, so I tried that, but I got a lovely segfalt:

2022-09-05T18:37:00.528+0200 [INFO]  sink.server: starting sink server
2022-09-05T18:37:00.528+0200 [INFO]  auth.handler: starting auth handler
2022-09-05T18:37:00.529+0200 [INFO]  auth.handler: authenticating
2022-09-05T18:37:00.528+0200 [INFO]  template.server: starting template server
2022-09-05T18:37:00.530+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2022-09-05T18:37:00.537+0200 [INFO] (runner) creating watcher
2022-09-05T18:37:00.660+0200 [INFO]  auth.handler: authentication successful, sending token to sinks
2022-09-05T18:37:00.661+0200 [INFO]  template.server: template server received new token
2022-09-05T18:37:00.661+0200 [INFO] (runner) stopping
2022-09-05T18:37:00.661+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2022-09-05T18:37:00.662+0200 [INFO]  auth.handler: starting renewal process
2022-09-05T18:37:00.663+0200 [INFO] (runner) creating watcher
2022-09-05T18:37:00.664+0200 [INFO] (runner) starting
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x2b8 pc=0x27b7320]

goroutine 38 [running]:
github.com/hashicorp/consul-template/dependency.goodFor(0x0)
	/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/dependency/vault_pki.go:114 +0x20
github.com/hashicorp/consul-template/dependency.(*VaultPKIQuery).Fetch.func1(0x0)
	/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/dependency/vault_pki.go:89 +0x124
github.com/hashicorp/consul-template/dependency.(*VaultPKIQuery).Fetch(0x400073ad40, 0x40007354a0, 0x40007762a0)
	/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/dependency/vault_pki.go:96 +0xf4
github.com/hashicorp/consul-template/watch.(*View).fetch(0x400073f280, 0x4000736780, 0x40007367e0, 0x4000574e40)
	/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/watch/view.go:203 +0x110
created by github.com/hashicorp/consul-template/watch.(*View).poll
	/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/watch/view.go:117 +0xc8

The template looks like this:

{{ with pkiCert "<mount>/issue/<role> "common_name=<cn>" "ttl=24h" }}
{{ .Data.CA }}
{{ end }}

It seems that it’s segfaulting on the goodFor function which takes a cert – the null pointer there seems to say that no cert was issued.

Note that only the pkiCert function fails - the secret function with the same arguments issues a cert no problem. My CA is mounted on a nonstandard path, so I’m wondering if maybe this is the issue?

Thanks!
Bruce

maxb · September 6, 2022, 7:40am

The only “documentation” I know of on how to correctly use pkiCert is this comment:

github.com/hashicorp/consul-template

Consul template ignoring rendered file, keeps generating certs at every reload or restart

opened 10:56AM - 08 Jul 22 UTC

closed 07:24PM - 08 Jul 22 UTC

tsiamer

question

Please note that the Consul Template issue tracker is reserved for bug reports …and enhancements. For general usage questions, please use the Consul Community Portal or the Consul mailing list: https://discuss.hashicorp.com/c/consul https://groups.google.com/forum/#!forum/consul-tool Please try to simplify the issue as much as possible and include all the details to replicate it. The shorter and simpler the bug is to reproduce the quicker it can be addressed. Thanks. ### Consul Template version Run `consul-template -v` to show the version. If you are not running the latest version, please upgrade before submitting an issue. consul-template v0.29.1 (4525703) ### Configuration ```hcl # Copy-paste your configuration files here. Only include what is necessary or # what you've changed from defaults. Include all referenced configurations. ``` template { source = "/etc/consul-template.d/nginxcert.tpl" destination = "/etc/nginx/certs/nginx.crt" perms = 0755 command = "systemctl reload nginx" } template { source = "/etc/consul-template.d/nginxkey.tpl" destination = "/etc/nginx/certs/nginx_key" command = "systemctl reload nginx" } template { source = "/etc/consul-template.d/test.tpl" destination = "/etc/consul-template.d/pki_cert.rendered.txt" } ```liquid # Copy-paste your Consul Template template here ``` template.hcl nginxcert.tpl {{ with secret "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" }} {{ .Data.certificate }} {{ .Data.issuing_ca }}{{ end }} nginxkey.tpl {{ with secret "pki_int/issue/nginx" "common_name==foo.example.com" "ttl=200h"}} {{ .Data.private_key }}{{ end }} test.tpl {{- with pkiCert "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" -}} Certificate: {{ .Cert }} Private Key: {{ .Key }} Authority: {{ .CA }} {{ end }} ```liquid # Include sample data you reference in the template from Consul or Vault here. ``` ### Command ```shell # Place your Consul Template command here ``` ### Debug output Provide a link to a GitHub Gist containing the complete debug output by running with `-log-level=trace`. ### Expected behaviour From this https://github.com/hashicorp/consul-template/issues/1259 What should have happened? The rendered template file as a sort of cache for it, checking for template destination for a file on startup/reload and, if it finds one, loads the cert from there. If that certificate is still good it will use it, if it is expired or not there it will fetch a new one from Vault. ### Actual behavior Consul template is ignoring the rendered file "pki_cert.rendered.txt", the cert keep getting regenerated at every reload or restart What actually happened? The cert keeps getting regenerated. ### Steps to reproduce 1. Create the files as above 2. Restart consul template systemctl restart consul-template.service 3. nginx.crt and nginx.key getting regenerated and ignoring the generated file pki_cert.rendered.txt to be used as for the local cache. ### References Are there any other GitHub issues (open or closed) that should be linked here? For example: - GH-1234 - ...

As for the panic, that’s likely worth opening an issue in the project’s issues.

allcats · September 16, 2022, 12:30pm

I have exactly the same issue. Documented here Vault agent crashes after restart · Issue #17166 · hashicorp/vault · GitHub