1

I've installed Hachicorp Vault and did setup the TLS configuration. My goal now is to have the vault.service to do an automatic reload if the TLS certificates were renewed.

The official documentation states:

tls_key_file (string: , reloads-on-SIGHUP) – Specifies the path to the private key for the certificate. It requires a PEM-encoded file. If the key file is encrypted, you will be prompted to enter the passphrase on server startup. The passphrase must stay the same between key files when reloading your configuration using SIGHUP. On SIGHUP, the path set here at Vault startup will be used for reloading the certificate; modifying this value while Vault is running will have no effect for SIGHUPs.

Does this mean that the service reloads itself when changes made to tls_key_file? or should I put additional logic?

vault.service

[Unit]
After=network.service hostname.service consul-init.service consul.service
Description="Hashicorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
StartLimitInterval=200
StartLimitBurst=5

[Service]
User=vault
Group=vault
PermissionsStartOnly=true
ExecStart=/usr/bin/vault server -config="{{vault_server_config_file}}"
ExecReload=/usr/bin/kill -HUP $MAINIP
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
LimitNOFILE=65536
LimitMEMLOCK=infinity
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target
Kingindanord
  • 125
  • 1
  • 5

1 Answers1

2

Vault is telling you the tls_key_file file name cannot be changed after start, and the certificate contents can be reloaded if you send it a SIGHUP.

Your systemd unit sends a SIGHUP if the unit is reloaded, a common pattern for services where that is a reload signal.

Additional logic is needed, as Vault is not monitoring the file for changes. I suggest reloading vault.service in your certificate renewal script, after the cert has been installed.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34