Error when trying to issue certificate with TTL
402 views
Skip to first unread message
Rodrigo Oliveira
Aug 27, 2018, 6:26:47 AM8/27/18
to Vault
Hi,
I'm trying to issue certificates with Vault and I tried using the documentation present in the website and it works with the root token.
The only problem is that when I try to specify TTL to the certificates and use another token (non-root-token)
vault write pki/issue/rodrigo common_name=rodrigo ttl=720h
I get this:
Error writing data to pki/issue/rodrigo: Error making API request.
Code: 403. Errors:
* permission denied
If I issue the certificate without ttl, it also works, but then the certificate is already expired.
If I run
openssl x509 -enddate -noout -in rodrigo-bundle.pem
I get
notAfter=Aug 27 10:57:30 2018 GMT
Which is the exactly same date/time as I ran the command.
Does anyone have any idea what I'm doing wrong?
Best,
Rodrigo
Carlos Vitor Barros
Aug 27, 2018, 7:56:32 AM8/27/18
to vault...@googlegroups.com
Rodrigo,
Does your non-root token has the proper ACL permissions to write to that path?
Could you provide the policy that is applied to that token by running (when authenticated with that token):
vault token capabilities
Regards,
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6575a6f3-7fad-4849-acc8-3c857e942862%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rodrigo Oliveira
Aug 27, 2018, 8:18:52 AM8/27/18
to vault...@googlegroups.com
Hi Carlos,
vault token capabilities [TOKEN] pki/issue/rodrigo
update
vault token capabilities [TOKEN] pki/roles/rodrigo
update
This is what I get. The weird part is that it only fails for these tokens when I set the TTL. Do I need to add any specific param to this policy?
Best,
Rodrigo
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAJ4BBSk9fyYiQxDgRjGSwpFqqT_T4hrYw7zmEaNg4q4vmVHHZQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Rodrigo Oliveira
Reply all
Reply to author
Forward
0 new messages