尝试从Vault PKI后端提供证书时,我当前遇到以下错误:
cannot satisfy request, as TTL would result in notAfter 2029-08-04T12:05:04.236196294Z that is beyond the expiration of the CA certificate at 2029-08-04T11:56:22Z
我在代码中注意到,您似乎可以通过AllowExpirationPastCA字段(https://github.com/hashicorp/vault/blob/master/builtin/logical/pki/cert_util.go#L899)在PKI角色中禁用此检查:
if caSign != nil &&
notAfter.After(caSign.Certificate.NotAfter) && !data.role.AllowExpirationPastCA {
return nil, errutil.UserError{Err: fmt.Sprintf(
"cannot satisfy request, as TTL would result in notAfter %s that is beyond the expiration of the CA certificate at %s", notAfter.Format(time.RFC3339Nano), caSign.Certificate.NotAfter.Format(time.RFC3339Nano))}
}
但是用于createe / update角色的PKI HTTP API似乎不支持此字段:https://www.vaultproject.io/api/secret/pki/index.html#create-update-role
如何提供持续时间超过其签署CA的证书?我的用例是,我想尽可能长时间地提供证书,而且如果不先阅读CA的到期时间,这似乎也不是那么简单。
vault --version:Vault v1.0.3('85909e3373aa743c34a6a0ab59131f61fd9e8e43')