PROBLEM SUMMARY
My team (who supports HashiCorp Vault at my workplace) are using this monitor plugin for policy configs and to write cert details back to Venafi with Vault as an Intermediate CA. This previously wrote all certificates back to Venafi, but we noticed after a recent Venafi upgrade that it stopped working. I no longer see any certificates written back to Venafi, although Vault can still issue them.
STEPS TO REPRODUCE
The same happens for net new or existing certificate
COMMENTS/WORKAROUNDS
We are also using the vault pki backend plugin for pass-through requests and that has no issues that I can see. I regenerated access/refresh tokens and no change. More than happy to jump on a call or provide more details/audit logs.
Hello, team!
PROBLEM SUMMARY My team (who supports HashiCorp Vault at my workplace) are using this monitor plugin for policy configs and to write cert details back to Venafi with Vault as an Intermediate CA. This previously wrote all certificates back to Venafi, but we noticed after a recent Venafi upgrade that it stopped working. I no longer see any certificates written back to Venafi, although Vault can still issue them.
STEPS TO REPRODUCE The same happens for net new or existing certificate
EXPECTED RESULTS Updated certificate SN or new certificate is reflected in Venafi
ACTUAL RESULTS No certificate is written back to Venafi
ENVIRONMENT DETAILS Venafi Monitor Plugin: v0.8.0 (strict) Venafi: 23.1.2 HashiCorp Vault: 1.13.4 (also happened in 1.10.9)
Refresh/Access token creation: Client ID: hashicorp-vault-monitor-by-venafi Scope: certificate:manage,discover
$ vault read sys/mounts/pki/config Key Value
accessor vault-pki-monitor-venafi_strict_073be95e config map[default_lease_ttl:0 force_no_cache:false max_lease_ttl:0] description n/a external_entropy_access false local false options map[] plugin_version n/a running_plugin_version n/a running_sha256 592a340ba56ce3b804bbc2398ba158aaf96465a8619405a3f193048a81ddddd0 seal_wrap false type vault-pki-monitor-venafi_strict uuid 3c58f568-7ee1-2bb4-a8dd-cbf5b285b3a5
$ vault read sys/mounts/pki/tune Key Value
default_lease_ttl 768h description n/a force_no_cache false max_lease_ttl 87600h
$ vault read pki/roles/vault.app0001613 Key Value
allow_any_name true allow_bare_domains true allow_glob_domains false allow_ip_sans true allow_localhost true allow_subdomains true allow_token_displayname false allowed_domains [] allowed_other_sans
allowed_serial_numbers []
allowed_uri_sans []
basic_constraints_valid_for_non_ca false
client_flag true
code_signing_flag false
country [US]
email_protection_flag false
enforce_hostnames true
ext_key_usage []
ext_key_usage_oids []
generate_lease true
key_bits 2048
key_type rsa
key_usage [DigitalSignature KeyAgreement KeyEncipherment]
locality [Redacted]
max_ttl 8760h
no_store false
not_before_duration 30s
organization [Redacted]
ou [Redacted]
policy_identifiers []
postal_code []
province [Redacted]
require_cn true
server_flag true
street_address []
ttl 2160h
use_csr_common_name true
use_csr_sans true
$ vault read pki/venafi-policy/vault.app0001613 Key Value
access_token **** apikey n/a auto_refresh_interval 900 create_role false defaults_roles [vault.app0001613] enforcement_roles [vault.app0001613] import_roles [vault.app0001613] import_timeout 15 import_workers 1 last_policy_update_time 1691886884 refresh_token **** tpp_password n/a tpp_user n/a trust_bundle_file /etc/pki/tls/certs/vault/cert_root_intermediate.pem url https://venafi-test.example.com/vedsdk zone Vault\Internal\NPE\vault.app0001613
COMMENTS/WORKAROUNDS We are also using the vault pki backend plugin for pass-through requests and that has no issues that I can see. I regenerated access/refresh tokens and no change. More than happy to jump on a call or provide more details/audit logs.