pkiCert with consul template and output to multiple files

YafimK · October 9, 2022, 12:17pm

Hey
I’m using consul-template to retrieve certs from the vault and I’ve stumbled across pkiCert.
I can’t seem to find a way to use it in case I’m using multiple files - i.e. seperate files for cert, key and CA. Now, from what I’ve read, if the file is the cache for pkiCert - I guess its not possible.

Am I right? are there any alternatives?

maxb · October 9, 2022, 6:59pm

The only place this has been “documented” that I know of is

github.com/hashicorp/consul-template

Consul template ignoring rendered file, keeps generating certs at every reload or restart

opened 10:56AM - 08 Jul 22 UTC

closed 07:24PM - 08 Jul 22 UTC

tsiamer

question

Please note that the Consul Template issue tracker is reserved for bug reports …and enhancements. For general usage questions, please use the Consul Community Portal or the Consul mailing list: https://discuss.hashicorp.com/c/consul https://groups.google.com/forum/#!forum/consul-tool Please try to simplify the issue as much as possible and include all the details to replicate it. The shorter and simpler the bug is to reproduce the quicker it can be addressed. Thanks. ### Consul Template version Run `consul-template -v` to show the version. If you are not running the latest version, please upgrade before submitting an issue. consul-template v0.29.1 (4525703) ### Configuration ```hcl # Copy-paste your configuration files here. Only include what is necessary or # what you've changed from defaults. Include all referenced configurations. ``` template { source = "/etc/consul-template.d/nginxcert.tpl" destination = "/etc/nginx/certs/nginx.crt" perms = 0755 command = "systemctl reload nginx" } template { source = "/etc/consul-template.d/nginxkey.tpl" destination = "/etc/nginx/certs/nginx_key" command = "systemctl reload nginx" } template { source = "/etc/consul-template.d/test.tpl" destination = "/etc/consul-template.d/pki_cert.rendered.txt" } ```liquid # Copy-paste your Consul Template template here ``` template.hcl nginxcert.tpl {{ with secret "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" }} {{ .Data.certificate }} {{ .Data.issuing_ca }}{{ end }} nginxkey.tpl {{ with secret "pki_int/issue/nginx" "common_name==foo.example.com" "ttl=200h"}} {{ .Data.private_key }}{{ end }} test.tpl {{- with pkiCert "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" -}} Certificate: {{ .Cert }} Private Key: {{ .Key }} Authority: {{ .CA }} {{ end }} ```liquid # Include sample data you reference in the template from Consul or Vault here. ``` ### Command ```shell # Place your Consul Template command here ``` ### Debug output Provide a link to a GitHub Gist containing the complete debug output by running with `-log-level=trace`. ### Expected behaviour From this https://github.com/hashicorp/consul-template/issues/1259 What should have happened? The rendered template file as a sort of cache for it, checking for template destination for a file on startup/reload and, if it finds one, loads the cert from there. If that certificate is still good it will use it, if it is expired or not there it will fetch a new one from Vault. ### Actual behavior Consul template is ignoring the rendered file "pki_cert.rendered.txt", the cert keep getting regenerated at every reload or restart What actually happened? The cert keeps getting regenerated. ### Steps to reproduce 1. Create the files as above 2. Restart consul template systemctl restart consul-template.service 3. nginx.crt and nginx.key getting regenerated and ignoring the generated file pki_cert.rendered.txt to be used as for the local cache. ### References Are there any other GitHub issues (open or closed) that should be linked here? For example: - GH-1234 - ...