YafimK
October 9, 2022, 12:17pm
1
HeypkiCert.
Am I right? are there any alternatives?
maxb
October 9, 2022, 6:59pm
2
The only place this has been “documented” that I know of is
opened 10:56AM - 08 Jul 22 UTC
closed 07:24PM - 08 Jul 22 UTC
question
Please note that the Consul Template issue tracker is reserved
for bug reports … and enhancements. For general usage questions,
please use the Consul Community Portal or the Consul mailing list:
https://discuss.hashicorp.com/c/consul
https://groups.google.com/forum/#!forum/consul-tool
Please try to simplify the issue as much as possible and include all the
details to replicate it. The shorter and simpler the bug is to reproduce the
quicker it can be addressed. Thanks.
### Consul Template version
Run `consul-template -v` to show the version. If you are not
running the latest version, please upgrade before submitting an
issue.
consul-template v0.29.1 (4525703)
### Configuration
```hcl
# Copy-paste your configuration files here. Only include what is necessary or
# what you've changed from defaults. Include all referenced configurations.
```
template {
source = "/etc/consul-template.d/nginxcert.tpl"
destination = "/etc/nginx/certs/nginx.crt"
perms = 0755
command = "systemctl reload nginx"
}
template {
source = "/etc/consul-template.d/nginxkey.tpl"
destination = "/etc/nginx/certs/nginx_key"
command = "systemctl reload nginx"
}
template {
source = "/etc/consul-template.d/test.tpl"
destination = "/etc/consul-template.d/pki_cert.rendered.txt"
}
```liquid
# Copy-paste your Consul Template template here
```
template.hcl
nginxcert.tpl
{{ with secret "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" }}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}{{ end }}
nginxkey.tpl
{{ with secret "pki_int/issue/nginx" "common_name==foo.example.com" "ttl=200h"}}
{{ .Data.private_key }}{{ end }}
test.tpl
{{- with pkiCert "pki_int/issue/nginx" "ttl=200h" "common_name=foo.example.com" -}}
Certificate: {{ .Cert }}
Private Key: {{ .Key }}
Authority: {{ .CA }}
{{ end }}
```liquid
# Include sample data you reference in the template from Consul or Vault here.
```
### Command
```shell
# Place your Consul Template command here
```
### Debug output
Provide a link to a GitHub Gist containing the complete debug
output by running with `-log-level=trace`.
### Expected behaviour
From this https://github.com/hashicorp/consul-template/issues/1259
What should have happened?
The rendered template file as a sort of cache for it, checking for template destination for a file on startup/reload and, if it finds one, loads the cert from there. If that certificate is still good it will use it, if it is expired or not there it will fetch a new one from Vault.
### Actual behavior
Consul template is ignoring the rendered file "pki_cert.rendered.txt", the cert keep getting regenerated at every reload or restart
What actually happened?
The cert keeps getting regenerated.
### Steps to reproduce
1. Create the files as above
2. Restart consul template systemctl restart consul-template.service
3. nginx.crt and nginx.key getting regenerated and ignoring the generated file pki_cert.rendered.txt to be used as for the local cache.
### References
Are there any other GitHub issues (open or closed) that should
be linked here? For example:
- GH-1234
- ...
2 Likes