Having an issue with mount-tune to increase max ttl

[Douglas McAdams]

So i'm having an issue when I do a mount tune to increase the max-ttl of my tokens:

vault mount-tune -default-lease-ttl=720h -max-lease-ttl=1440h /auth/token

This would essentially be a default of 30 days and a default max ttl of 60 days, but when I try to renew my tokens (either by renew-self or renewing with a root token) the ttl never goes up. It just keeps counting down from the initial 30 days, like the mount-tune didn't do anything.

In addition, when I try to specify a max-lease-ttl on the token itself that is over 30 days, it yells at me and tells me it's over the system default max ttl.

I'm using consul as a backend, is there something set in consul that is preventing this? I wouldn't think so, as I'm tuning the auth/token mount which is specific to vault. It works exactly like it should in my lab/vm setup.

See my vault config below:

backend "consul" {
        address = "x.x.x.x:8500"
        path = "vault"
        scheme = "http"
        service = "vault"
}


listener "tcp" {
        address = "0.0.0.0:8200"
        tls_disable = 1
}


disable_mlock = true

[Jeff Mitchell]

Hi Douglas,

What does the server log show when you run that command? Does it say that tuning was successful? Just in case, does it work if you remove the leading slash from the path?

What version of Vault?

Thanks,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3a8df566-2f45-4cc1-bee1-4d8a53b3d0da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Douglas McAdams]

Without the leading slash it works like a charm!

 

FYI Version 0.6.0

Any idea why the command with the leading slash would work on one system and not another identical system? 

[Douglas McAdams]

Also, yes it said the mount was successful with the leading slash. That was what was confusing.

[Jeff Mitchell]

That's a bug then -- any chance I can get you to file an issue about it?

Thanks!

On Thu, Sep 29, 2016 at 12:55 PM, Douglas McAdams <spu...@gmail.com> wrote:
> Also, yes it said the mount was successful with the leading slash. That was
> what was confusing.
>
>

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/8a401624-f672-417e-a1bf-0c4333a193b0%40googlegroups.com.