Vault agent to renew cert

I have a vault agent that was set up from a previous Employee.

I am trying to understand how often this will pull the certificate in vault using a template?

Vault is supposed to do this automatically but not sure how often and what triggers it to poll and pull a new certificate? Is there some sort of variable that defines how often?

Thanks!

1 Like

Hi @darthVikes! Welcome to the forum. :smile:

Broadly speaking, Vault Agent will generate a new certificate whenever the Agent restarts or re-authenticates; but this will depend on the specifics of your configuration, including whether you’re using pkiCert or secret in the template itself.

Check out the Certificates subsection under Renewals and updating secrets, in the Vault Agent Template docs: Vault Agent Template | Vault | HashiCorp Developer

Thanks! We are using secret in the template to pull the secret out.

When I restart the agent it doesn’t seem to pull the new secret/ aka new cert that is in vault.

I did see a part in the documentation something about only pulling the certificate when it hits 90% before the cert expires?

There are no logs that I can find, looks like I would need to update the systemctl file to include logging parameters, but also a bit surprised that is not in there by default.

Thanks!

here is the vault-agent.hcl file

pid_file = "/run/vault-agent/vault-agent.pid"
exit_after_auth = false
vault {
  address = "https://vault.domain.com/"
}
auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "/etc/vault/roleid"
      secret_id_file_path = "/etc/vault/secretid"
      remove_secret_id_file_after_reading = "false"
      }
  }
}

cache {
   use_auto_auth_token = true
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = "true"
}

template {
  contents = "{{ with secret \"secret/certificates/lets_encrypt/domain\" }}{{ .Data.data.certificate }}{{ end }}"
  destination = "/etc/vault/secrets/letsencrypt.crt"
  command = "sudo /etc/vault/scripts/updatecert.sh"
  perms = "0640"
}

template {
  contents = "{{ with secret \"secret/certificates/lets_encrypt/domain\" }}{{ .Data.data.private_key }}{{ end }}"
  destination = "/etc/vault/secrets/letsencrypt.key"
  command = "sudo /etc/vault/scripts/updatecert.sh"
  perms = "0640"
}

I see it doesn’t include a template_config section? Should I include that? Would adding

template_config {
static_secret_render_interval = “10m”
exit_on_retry_failure = false
}

Would static_secret_render_interval have it check the secret every 10m with how I have the template set up?

Thanks!

Hey, sorry for the delay: I did my Terraform Associate recert yesterday. :grin:

I haven’t actually used that attribute to change the render interval, but I suspect that, in your case, Vault Agent will ignore it, as the rendered certificate will be a leased secret (as will the key) and that attribute is specifically for non-leased (i.e., static) secrets.

Oh, really? I assumed it would follow the general rule for renewable secrets of two-thirds of the lease.

I would definitely look at setting up operational logging, at DEBUG or maybe even TRACE, as well as audit logging (if that isn’t in place already): Troubleshooting Vault | Vault | HashiCorp Developer

No worries, nice. always good to have some certifications =)

Ok. So that attribute shouldn’t matter. leased secret? what makes it leased?

Of course, now I can’t find where it says that. I think it would be easier though to have a configuration to have it poll X number of minutes in case it updates earlier than it normally does.

Yah that will certainly help understand better what it is doing. It’s difficult to tell without that however, also not sure why that is not in the default systemctl service definition to what it should be doing. Of course I’m not seeing that in the github at all either now.

Apologies! I’ve just noticed that you’re actually using the secret template function to render the certificate (and key), rather than the pkiCert function. HashiCorp actually recommend you use the latter – just to cut down on unnecessarily generating certificates – but you can set the re-fetch interval of one generated via the secret function by configuring the generate_lease attribute: https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent/template#rendering-using-the-secret-template-function

Right yes. I was looking at that attribute, but there doesn’t seem to be any examples. Do I put it in the agent config? Would I put it into just the top of the file? or in template_config area?

Also, It says it uses the Certificates validTo Field? When I am looking at the certificate, is that the same as “Not After” field or the expiration date of the certificate?

openssl x509 -in /etc/vault/secrets/letsencrypt.crt -text -noout

Also, curious if that is a default variable and if so if it is enabled by default or not.

Thanks!

That attribute is actually something that’s configured in Vault itself, against the role that is issuing the certificate: PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer

As you see, by default, it is false, meaning that Vault Agent will look for the validTo field, as mentioned.

To answer your other question on certificates more generally, I’m not really sure whether notAfter is equivalent to validTo; I did a quick search, and it seems the latter is associated with security tokens, rather than certificates per se (but take that few whole handfuls of salt, 'cause I’m no X.509 expert!). Either way, I suspect you’ll have to make sure that validTo is explicitly set in your certificates, as I doubt Vault will also look for a notAfter field, given what the documentation says.

So that goes back to the PKI Documentation? which we were not doing I don’t think with the secrets method at all which is just storing it as a Key Value Pair, and pulling those out so nothing fancy? But that variable is under the secrets paragraph not the rendering under the pkiCert function description.

am I off there?

So really if there is nothing else fancy with PKI, not sure how the Vault Agent would do it other than poll every 5m which would be good if there was a attribute/variable to configure how often that would poll would be.

Thanks!