Monitor plugin not writing back after Venafi upgrade #92
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, team!
PROBLEM SUMMARY
My team (who supports HashiCorp Vault at my workplace) are using this monitor plugin for policy configs and to write cert details back to Venafi with Vault as an Intermediate CA. This previously wrote all certificates back to Venafi, but we noticed after a recent Venafi upgrade that it stopped working. I no longer see any certificates written back to Venafi, although Vault can still issue them.
STEPS TO REPRODUCE
The same happens for net new or existing certificate
EXPECTED RESULTS
Updated certificate SN or new certificate is reflected in Venafi
ACTUAL RESULTS
No certificate is written back to Venafi
ENVIRONMENT DETAILS
Venafi Monitor Plugin: v0.8.0 (strict)
Venafi: 23.1.2
HashiCorp Vault: 1.13.4 (also happened in 1.10.9)
Refresh/Access token creation:
Client ID: hashicorp-vault-monitor-by-venafi
Scope: certificate:manage,discover
$ vault read sys/mounts/pki/config
Key Value
accessor vault-pki-monitor-venafi_strict_073be95e
config map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0]
description n/a
external_entropy_access false
local false
options map[]
plugin_version n/a
running_plugin_version n/a
running_sha256 592a340ba56ce3b804bbc2398ba158aaf96465a8619405a3f193048a81ddddd0
seal_wrap false
type vault-pki-monitor-venafi_strict
uuid 3c58f568-7ee1-2bb4-a8dd-cbf5b285b3a5
$ vault read sys/mounts/pki/tune
Key Value
default_lease_ttl 768h
description n/a
force_no_cache false
max_lease_ttl 87600h
$ vault read pki/roles/vault.app0001613
Key Value
allow_any_name true
allow_bare_domains true
allow_glob_domains false
allow_ip_sans true
allow_localhost true
allow_subdomains true
allow_token_displayname false
allowed_domains []
allowed_other_sans
allowed_serial_numbers []
allowed_uri_sans []
basic_constraints_valid_for_non_ca false
client_flag true
code_signing_flag false
country [US]
email_protection_flag false
enforce_hostnames true
ext_key_usage []
ext_key_usage_oids []
generate_lease true
key_bits 2048
key_type rsa
key_usage [DigitalSignature KeyAgreement KeyEncipherment]
locality [Redacted]
max_ttl 8760h
no_store false
not_before_duration 30s
organization [Redacted]
ou [Redacted]
policy_identifiers []
postal_code []
province [Redacted]
require_cn true
server_flag true
street_address []
ttl 2160h
use_csr_common_name true
use_csr_sans true
$ vault read pki/venafi-policy/vault.app0001613
Key Value
access_token ********
apikey n/a
auto_refresh_interval 900
create_role false
defaults_roles [vault.app0001613]
enforcement_roles [vault.app0001613]
import_roles [vault.app0001613]
import_timeout 15
import_workers 1
last_policy_update_time 1691886884
refresh_token ********
tpp_password n/a
tpp_user n/a
trust_bundle_file /etc/pki/tls/certs/vault/cert_root_intermediate.pem
url https://venafi-test.example.com/vedsdk
zone Vault\Internal\NPE\vault.app0001613
COMMENTS/WORKAROUNDS
We are also using the vault pki backend plugin for pass-through requests and that has no issues that I can see. I regenerated access/refresh tokens and no change. More than happy to jump on a call or provide more details/audit logs.
The text was updated successfully, but these errors were encountered: