Skip to content

[1.16.2, 1.15.6, 1.14.10] Vault CA with Vault namespace config will prevent CA initialization #19051

New issue
New issue
Closed
Closed
[1.16.2, 1.15.6, 1.14.10] Vault CA with Vault namespace config will prevent CA initialization#19051
Assignees
cthain
Labels
theme/certificatesRelated to creating, distributing, and rotating certificates in Consultheme/consul-vaultRelating to Consul & Vault interactionstype/bugFeature does not function as expected
@kisunji

Description

@kisunji
kisunji
opened on Oct 3, 2023

This impacts Consul users using Vault Enterprise's namespace for Vault CA configuration (docs).

Overview of the Issue

Consul versions 1.16.2, 1.15.6, and 1.14.10 suffer a regression introduced by #18773 where empty RootPKINamespace or IntermediatePKINamespace do not fall back to the global Namespace.

This means you may see error logs such as:

Failed to initialize Connect CA: routine="CA initialization"
  error=
  | error configuring provider: unexpected error while fetching intermediate CA: Error making API request.
  | 
  | URL: GET https://your-vault-instance:8200/v1/consul_pki_intermediate/ca/pem
  | Code: 403. Errors:
  | 
  | * 1 error occurred:
  | \t* permission denied
  |

Workaround

The above issue can be mitigated by setting all 3 namespace fields to the same value:

connect {
  enabled = true
  ca_provider = "vault"
  ca_config {
    ...
    namespace = "consul"
    root_pki_namespace = "consul"
    intermediate_pki_namespace = "consul" 
  }
}

Metadata

Metadata

Assignees

Labels

theme/certificatesRelated to creating, distributing, and rotating certificates in Consultheme/consul-vaultRelating to Consul & Vault interactionstype/bugFeature does not function as expected

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions