open-consul

Author	SHA1	Message	Date
R.B. Boyer	91d9544803	connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate (#9428 ) This fixes an issue where leaf certificates issued in primary datacenters using Vault as a Connect CA would be reissued very frequently (every ~20 seconds) because the logic meant to detect root rotation was errantly triggering. The hash of the rootCA was being compared against a hash of the intermediateCA and always failing. This doesn't apply to the Consul built-in CA provider because there is no intermediate in use in the primary DC. This is reminiscent of #6513	2021-02-08 13:18:51 -06:00

Author

SHA1

Message

Date

R.B. Boyer

91d9544803

connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate (#9428 )

This fixes an issue where leaf certificates issued in primary
datacenters using Vault as a Connect CA would be reissued very
frequently (every ~20 seconds) because the logic meant to detect root
rotation was errantly triggering.

The hash of the rootCA was being compared against a hash of the
intermediateCA and always failing. This doesn't apply to the Consul
built-in CA provider because there is no intermediate in use in the
primary DC.

This is reminiscent of #6513

2021-02-08 13:18:51 -06:00

1 Commits