hi,
I followed this Tutorial Generate mTLS certificates for Nomad using Vault | Nomad | HashiCorp Developer
and it works for round about 30min and then it starts failing with:
| * invalid role or secret ID
and I don’t understand why .. I thought, that the vault agent mode does all stuff with login and refresh / renew the secret-id.
To get it working again, I need to recreate a secret-it and restart the vault agent process.
So, what is in the Howto missing?
any suggestions?
cu denny
[edit] Ignore all that if you saw it - Vault Agent should be fetching a new token when the current one expires. I’ll see if I can reproduce.
Re-reading the tutorial, what if you switch the token type to service here:?
Hello @jonathanfrappier
thanks for the reply and help 
.
I used Batch (where you can’t(!) refresh token) and switched to service. At the end of the day, it makes not difference, vault agent is unhappy, because the secure_id is expired and then it can’t login anymore.
I’m asking me, if the tutorial does not handle the part, with replace the secure_id …
What I’m doing now, is to set a very high secure_id_ttl (did not tested, if also 0s would work), but it seems to me the wrong way.
cu denny
Thanks for confirming, i’ll try to replicate this shortly. In speaking with some of the engineers internally and the consensus was Vault Agent should be able to get a new token, but tbh im less familiar w Vault Agent and Nomad.
hi,
its not about token .. .. if you have type service, it can be refreshed, as long, the secure_id_ttl is not expired. But if you use Batch as type .. …