Hi Andy,

have you tried to replace your expired certificates [1]? This way you should solve your issue.

/Jan Wasilewski

[1] https://support.hashicorp.com/hc/en-us/articles/4417759906835-Replacing-the-TLS-certificate-and-key-on-a-running-Vault-cluster-without-requiring-a-restart-unseal 

pon., 16 gru 2024 o 20:57 Andy Speagle <aspeagle@toyon.com> napisał(a):
On Mon, 2024-12-16 at 09:49 +0100, Jan Wasilewski wrote:
> Hi Andy,
>
> Can’t you unseal your vault using the official procedure from the
> Vault page [1]?
> The full concept is described here [2].
>
> /Jan Wasilewski
>
> [1] 
> https://developer.hashicorp.com/vault/tutorials/getting-started/getti
> ng-started-deploy#seal-unseal
> [2] https://developer.hashicorp.com/vault/docs/concepts/seal

Actually, no... this is part of my charmed openstack environment. I
stupidly let the certs expire... and now I get this:


Error unsealing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:

* failed to check seal configuration: x509: certificate has expired or
is not yet valid: current time 2024-12-16T19:51:48Z is after 2024-12-
04T20:22:24Z

I'm really not sure what cert it's complaining about... locally, the
vault cli client doesn't connect via TLS... so, it must be taking about
a cert for the mysql backend that vault's using... but, I can't seem to
figure out how to get vault to ignore ANY and ALL certs to move forward
on this.

>
> pt., 13 gru 2024 o 23:51 Andy Speagle <aspeagle@toyon.com>
> napisał(a):
> > Well... the plot thickens here... my vault is fully sealed now and
> > with
> > the certs expired, I can seem to find a way to unseal it in order
> > to
> > get the certs replaced.
> >
> > Is there anything to be done here?
> >
> >

--
Andy Speagle
Sr. Site Reliability Engineer
Toyon Research Corporation
316.617.2431