Multiple Vault CAs have expired CRLs

[nmattingly]

PROBLEM SUMMARY On 8/20, we noticed that a few of the Vault CAs that are used with plugin have expired CRLs. Some of the CAs have since updated their CRL, but have also expired again.

We have opened a ticket with HashiCorp support, they have recommended that we engage Venafi.

1. Why are CRLs expiring without renewal?
2. How can the CRLs be manually renewed?

STEPS TO REPRODUCE We have not been able to intentionally reproduce the issue. When checking the logging within Venafi for Vault intermediates, I can see where this issue has happened sporadically.

EXPECTED RESULTS

ACTUAL RESULTS N/A

ENVIRONMENT DETAILS vault-pki-monitor-venafi_strict_0.8.0_857 Venafi Trust Protection Platform version 20.2.0.5474

COMMENTS/WORKAROUNDS N/A

[Tony-venafi]

Response from Ryan T:

You can see from this [comment|https://github.com/hashicorp/vault/issues/3827#issuecomment-359497922] that HashiCorp typically advises customers to set up a cron job to update their CRL on a regular basis. It would be an enhancement to the driver to update the CRL... it likely would be done as part of the Validation process and would be based on checking the validity of the current CRL.

[Comment on #3827 CRL Next Update Time Not Being Updated|https://github.com/hashicorp/vault/issues/3827#issuecomment-359497922] See [https://www.vaultproject.io/api/secret/pki/index.html#rotate-crls] -- this endpoint is here specifically for this purpose. You can rotate on any interval you like via e.g. a cron job. A token for this job can be limited in scope specifically to this endpoint.

[tr1ck3r]

@nmattingly updating the CRL for a Vault CA is not something this solution was previously designed for therefore this would be an enhancement not a bug. Are you able to update the CRL using the CRL rotation API endpoint HashiCorp identified in Vault GitHub issue #3827?