Vault installed by juju vault charm certificate expired

Used vault installed by juju, while I could still access it the cert properties showed Vault Root Certificate Authority (charm-pki-local)
expired March 11, 2023 10:34:43PM
easyrsa: null
constraints: tags=kube-worker
num_units: 3
charm: cs:vault
num_units: 1
auto-generate-root-ca-cert: true
totally-unsecure-auto-unlock: true
charm: cs:postgresql
num_units: 2

    • kubernetes-master:certificates
    • vault:certificates
    • etcd:certificates
    • vault:certificates
    • kubernetes-worker:certificates
    • vault:certificates
    • vault:db
    • postgresql:db
      tried a few fixes now vault will not start up at all

where the certificate is actually stored
vault.hcl file shows

api_addr = “
cluster_addr = “
storage “postgresql” {
connection_url = “postgresql://”

ha_storage “etcd” {
ha_enabled = “true”
address = “https://172.17.xx.yyy:2379,,https://172.17.xx.bbb:2379
tls_ca_file = “/var/snap/vault/common/etcd-ca.pem”
tls_cert_file = “/var/snap/vault/common/etcd-cert.pem”
tls_key_file = “/var/snap/vault/common/etcd.key”

Use tls_insecure_skip_verify due to Vault is inaccessible if an etcd unit is lost · Issue #4961 · hashicorp/vault · GitHub

tls_insecure_skip_verify is currently only supported in the snap version of vault.

tls_insecure_skip_verify = “true”
tls_disable_client_certs = true
etcd_api = “v3”

vault certs were configured to use an offline root

tried to recreate certs using same steps
after doing a
juju run-action --wait vault/0 disable-pki
was not able upload the certs
juju run-action --wait vault/leader upload-signed-csr pem=“(cat ~/root-ca/intermediate_ca1.pem | base64)" root-ca="(cat ~/root-ca/ca.pem | base64)”
now vault will not start at all

The formatting of your post is mangled. Please read: Welcome to the forum - please reformat your message

Although, looking closer, even if you cure the formatting issues, I don’t think it’ll affect my reply:

I am not familiar with this “juju” thing, but it seems to have wrapped Vault in a sufficiently thick layer of abstraction, that it makes it hard for you to get support from resources associated with the upstream Vault project.

For example… it sounds like you are talking about accessing the Vault API or UI:

But in the vault.hcl file you showed, htere is no mention of any listener block at all… making me think it’s either an incomplete paste, or this abstraction layer is doing something non-standard.

I think you may be best served trying to get support from the creators of this “juju vault charm” instead. (Unless you decide to get rid of juju and deploy Vault in a less encapsulated, customized way.)