Description
Describe the bug
I have deployed Spring Cloud Config Server application in PCF with HashiCorp Vault as backend. I'm using PCF cert Auth and it break after 1 day and it seems mainly due to PCF instance certificates are valid only for a day since PCF Diego Certification manager rotates instance certificate everyday. Some how config server is not reading the updated certificates and still using the old certificates using the environment variables - $CF_INSTANCE_KEY and $CF_INSTANCE_CERT.
Error message :
error:org.springframework.vault.authentication.VaultLoginException: Cannot login using PCF: x509: certificate has expired or is not yet valid; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"errors":["x509: certificate has expired or is not yet valid"]} ]
Sample
Config Server App application.yaml
kv-version: 2
backend: kv_qas
order: 1
authentication: PCF
pcf:
role: aicshd-cit-qas-vault-config-server
pcf-path: cf_sr1_aiccoreqasorg_aicshd-cit-qas
Vault Registration :
vault auth enable -path=cf_vdc02 cf
# Write Vault Config
vault write auth/cf_vdc02/config [email protected] cf_api_addr=https://api.sausvdc02.com cf_username="<user_name>" cf_password="<password>" [email protected]
# Bind the PCF Org and Space ID's
vault write auth/cf_vdc02/roles/<Name of the Config Server> bound_organization_ids=@vdc02_org_guid.txt bound_space_ids=@vdc02_space_guid.txt policies=<use-readonly-policy> disable_ip_matching=true ttl=86400s max_ttl=86400s period=86400s
I tried specifying the instance-key and cert manually in application.yaml but it's reading variables and failing to start.
instance-key: '/etc/cf-instance-credentials/instance.key'
instance-certificate: '/etc/cf-instance-credentials/instance.crt'
@mp911de / @spencergibb - did you hear about this issue ?