Vault binary: reread certificate file without restart / unseal?

MichaelRenner · May 26, 2021, 9:20am

Moin,

our test environment has been running for a few months now. The time will come when the certificates for encrypting port 8200 itself will expire. No problem generating new ones. But can I swap them without restarting? I want to avoid the unseal process.

Thanks for answers

fhemberger · May 26, 2021, 9:28am

I’m not sure if Vault reloads TLS certificates when receiving SIGHUP. There has been some discussion about it, but maybe someone knows whats the latest status on this:

github.com/hashicorp/vault

Allow vault to reload its config without sealing the vault

opened 05:31PM - 12 Jul 15 UTC

closed 01:28PM - 15 Aug 16 UTC

BRMatt

Quite often CF systems are configured to restart/reload services when their conf…iguration changes. In the case of Vault this would seal all servers, resulting in downtime, and would require operator intervention to fix. There are situations where the Vault configuration may change intentionally (e.g. the `statsd` address changes), or unintentionally (someone refactoring chef cookbooks accidentally removes trailing whitespace from the config file). Admittedly it could be possible to reconfigure and unseal each Vault server individually, but this requires a lot of manual work and increases the risk of downtime. In an ideal world, Vault would be able to safely reload its configuration from disk, whilst keeping the vault unsealed. One thing to bear in mind is that this could potentially allow an attacker to reconfigure Vault in a harmful way (e.g. changing the storage backends), but on the other hand, a properly configured server should prevent unauthorised users from editing Vault's configuration. Given that the [security model](https://vaultproject.io/docs/internals/security.html) excludes memory analysis, excluding Vault's configuration from being edited doesn't seem unreasonable, especially as an attacker could always change the config and wait for an operator to restart the service. Thoughts?

mikegreen · May 27, 2021, 4:40pm

Yes.
On SIGHUP, the path set here at Vault startup will be used for reloading the certificate

See here for full details:

fhemberger · May 27, 2021, 5:03pm

Awesome, thank you, @mikegreen!

MichaelRenner · May 28, 2021, 1:09pm

Thanks so much! This makes thinks more easy.

MichaelRenner · May 29, 2021, 12:01pm

yes, works wonderfully. Only Firefox still shows the old certificate / expiration date after a SIGHUP to the process and a reload of the page. But openssl direct on the port shows the new data. I was confused for a moment.

root@hermes:~# echo "" | openssl s_client -connect localhost:8200 | openssl x509 -in /dev/stdin -noout -startdate
notBefore=May 29 11:46:47 2021 GMT

This makes live very easy.