PKI with ACME Certs issued with certbot valid only 7 Days

mkrnb8 · February 12, 2024, 10:53am

Hi there,

I’ve set up Vault with PKI intermediate CA, activated ACME ad tuned issued certs to TTL=90d
This works fine.
When I use ACME with Certbot, the certificates get a validity for only 7 Days.

I figured out, this comes from the “default lease TTL” showed on the Dashboard in the Configuration details area.

I set it to ttl= 30 days and the new issued certificates also got this validity period and still ignoring the default_ttl from the PKI role.

How to solve it? I don’t want to set the default ttl for the “whole system” tokens to 90 days to get certificates valid for 90 days.

StevenClark · February 15, 2024, 4:27am

Hello,

If you are using a role within your acme configuration’s “Default directory policy”, ACME should be using that role’s TTL and/or MaxTTL value.

Things that might also influence it down to 7 days could be the mount’s values for default lease ttl and/or max lease ttl. Finally have a look at the the CA’s expiration date as ACME issuance will not issue a certificate beyond it and will automatically truncate.

Topic		Replies	Views
Vault PKI lease and ttl Vault	0	343	June 16, 2021
How can I solve the following problem? Vault vault	7	3741	January 10, 2022
Vault PKI roles overriding max-lease-tll set in pki backend .. is this expected? Vault	0	388	November 19, 2020
Database Dynamic Secrets - users/leases being expired before max TTL Vault vault	6	2342	May 28, 2022
Vault-agent PKI: Higher renewal frequency than ttl Vault	1	369	August 9, 2022

PKI with ACME Certs issued with certbot valid only 7 Days

Related topics