SSL certificate reload without restart #5387
Comments
|
Vault certificates can be reloaded by sending a SIGHUP signal to the server. https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cert_file. |
|
Here is good explanation on how to send SIGHUP: https://support.hashicorp.com/hc/en-us/articles/5767318985107-Vault-SIGHUP-Behavior |
|
This was an incredibly helpful find! So nice to have a method that doesn't require downtime or heavier unseal steps. Is there recommended mechanism for performing this action automatically? We have automated certificate renewals in our kubernetes cluster and are susceptible to client errors if we don't do this operation in a timely manner. |
Better late than never...if you happen to be using the packages that include systemd units you can simply do |
|
I don't think that works well inside kubernetes. Some options we have are to run a sidecar container that performs the SIGHUP/systemctl command, but you have to share the process namespace between the containers. Alternatively, one could modify the docker image to launch a simpler process that watches for certificate updates on disk and reloads them. It would be great if there was an endpoint we could hit through the HTTP api. The sidecard approach would work well in that scenario. |
We using Lets Encrypt certificates on the hosts being used for Vault and Consul. LE certificates, by design, need to be renewed at least every 90 days. Our renewal process is automated and we can extend that automation process to restart Consul when a new certificate is obtained, although that is undesirable and we look for to a solution to hashicorp/consul#2584 being made available.
However, restarting Vault requires it to then be unsealed, which is unsafe to automate. What we need is the ability for Vault to "reload", thereby fetching the latest certificate without needing to be unsealed.
The text was updated successfully, but these errors were encountered: