Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
- Loading branch information
1 parent
f12c092
commit 87c724f
Showing
3 changed files
with
23 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
## Integrated Storage panic related to old TLS key | ||
|
||
Raft in Vault uses its own set of TLS certificates, independent of those that the user | ||
controls to protect the API port and those used for replication and clustering. These | ||
certs get rotated daily, but to ensure that nodes which were down or behind on Raft log | ||
replication don't lose the ability to speak with other nodes, the newly generated daily | ||
TLS cert only starts being used once we see that all nodes have received it. | ||
|
||
A recent security audit related change results in this rotation code [getting a | ||
panic](https://github.com/hashicorp/vault/issues/15147) when the current cert is | ||
more than 24h old. This can happen if the cluster as a whole is down for a day | ||
or more. It can also happen if a single node is unreachable 24h, or sufficiently | ||
backlogged in applying raft logs that it's more than a day behind. | ||
|
||
Impacted versions: 1.10.1, 1.9.5, 1.8.10. Versions prior to these are unaffected. | ||
|
||
New releases addressing this panic are coming soon. |