Bug CRL generation with 2 roles

[walkrya]

-->

Describe the bug
I have an issue with generating the CRL on a PKI. I have revoked several certificates, but the CRL is still empty. I have 2 roles on my PKI and I suspect that the CRL was generated with the first role, but the second role is not generating any CRL.

Environment:

• Vault Server Version the last version

[stevendpclark]

Hi @walkrya,

Can you provide additional information as I can't reproduce the issue you are seeing? Did the revoke call return a revocation time? Also please check that the crl configuration doesn't have the disable flag set to true or possibly the auto_rebuild set to true.

I'm assuming by last version you mean 1.13.0?

❯ vault write -format=json pki/roles/test-role ttl="30m" \
            allowed_domains="example.com" \
            allow_subdomains=true \
            no_store=false

❯ vault write -format=json pki/roles/test-role2 ttl="30m" \
            allowed_domains="example.com" \
            allow_subdomains=true \
            no_store=false

❯ vault write -format=json pki/issue/test-role common_name="test.example.com" > /tmp/issued.json

❯ jq -r .data.serial_number /tmp/issued.json
02:ad:c8:75:95:d7:d5:cc:67:82:17:b0:c4:ea:10:bd:20:a3:ba:ca

❯ vault write pki/revoke serial_number="$(jq -r .data.serial_number /tmp/issued.json)"
Key                        Value
---                        -----
revocation_time            1679964380
revocation_time_rfc3339    2023-03-28T00:46:20.133132Z
state                      revoked

❯ curl $VAULT_ADDR/v1/pki/crl | openssl crl -inform DER -text -noout -in -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   507  100   507    0     0  53918      0 --:--:-- --:--:-- --:--:--  495k


Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = example.com Intermediate Authority
        Last Update: Mar 28 00:46:20 2023 GMT
        Next Update: Mar 31 00:46:20 2023 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:97:E8:25:02:B1:12:8E:28:88:FE:C4:C4:80:C0:33:FD:AD:2F:50:18

            X509v3 CRL Number:
                5
Revoked Certificates:
    Serial Number: 02ADC87595D7D5CC678217B0C4EA10BD20A3BACA
        Revocation Date: Mar 28 00:46:20 2023 GMT
    Serial Number: 149AC4668FDEE9A21860B9A7DD6852693CC7571F
        Revocation Date: Mar 28 00:36:47 2023 GMT
    Signature Algorithm: sha256WithRSAEncryption
         7f:e7:4d:7d:2d:c9:98:8a:e4:6a:dd:a5:be:0e:2d:a8:e5:97:
         78:60:a5:08:ca:0d:34:21:9e:08:25:ac:71:80:5a:73:dc:d0:
         0c:e8:69:b9:8d:62:35:94:d5:bc:8c:a3:7e:a9:45:6b:4b:35:
         96:f3:c8:c7:0e:59:92:49:03:2d:dc:bd:2c:1c:04:e7:41:1f:
         47:c0:ac:e5:52:47:a6:86:16:93:14:8b:76:f3:4d:37:77:22:
         fa:51:13:71:05:59:b3:a6:89:69:1d:26:51:ee:27:21:20:e8:
         4d:f6:f4:03:7c:e1:e0:d4:f7:36:f8:fa:1a:97:04:36:af:f2:
         1b:3d:60:81:67:b0:0b:e8:0a:fb:9e:29:5f:81:1d:fc:d6:07:
         bf:15:09:73:a6:62:65:b9:cc:3f:fa:53:06:a1:80:e9:c6:8d:
         76:52:bf:30:32:42:8f:c5:bb:a5:27:90:1f:c9:47:1a:6e:a1:
         25:38:7b:13:72:13:83:5f:b0:c6:92:15:76:ec:cd:8e:b8:e5:
         f9:ea:d2:62:dd:a4:da:f6:1e:c6:d5:f3:3d:34:41:d5:a9:1b:
         77:3c:f5:f9:95:ec:be:3e:d5:19:e8:92:d5:d0:9f:c2:19:0f:
         99:9c:df:5d:f4:3a:65:e8:95:e4:14:93:a6:0d:1a:6b:4d:27:
         1c:5d:cf:90

❯ vault write -format=json pki/issue/test-role2 common_name="test.example.com" > /tmp/issued2.json

❯ jq -r .data.serial_number /tmp/issued2.json
32:c4:25:8e:d4:84:e6:b1:4e:ba:07:68:bd:78:a0:87:91:bc:fd:fd

❯ vault write pki/revoke serial_number="$(jq -r .data.serial_number /tmp/issued2.json)"
Key                        Value
---                        -----
revocation_time            1679964786
revocation_time_rfc3339    2023-03-28T00:53:06.334851Z
state                      revoked

❯ curl $VAULT_ADDR/v1/pki/crl | openssl crl -inform DER -text -noout -in -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   547  100   547    0     0  63984      0 --:--:-- --:--:-- --:--:--  534k

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = example.com Intermediate Authority
        Last Update: Mar 28 00:53:06 2023 GMT
        Next Update: Mar 31 00:53:06 2023 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:97:E8:25:02:B1:12:8E:28:88:FE:C4:C4:80:C0:33:FD:AD:2F:50:18

            X509v3 CRL Number:
                7
Revoked Certificates:
    Serial Number: 02ADC87595D7D5CC678217B0C4EA10BD20A3BACA
        Revocation Date: Mar 28 00:46:20 2023 GMT
    Serial Number: 149AC4668FDEE9A21860B9A7DD6852693CC7571F
        Revocation Date: Mar 28 00:36:47 2023 GMT
    Serial Number: 32C4258ED484E6B14EBA0768BD78A08791BCFDFD
        Revocation Date: Mar 28 00:53:06 2023 GMT
    Signature Algorithm: sha256WithRSAEncryption
         18:87:16:a3:6d:11:a0:ff:98:b4:2f:7b:e8:a2:13:9b:4c:53:
         14:c0:4e:9b:25:c0:7d:8d:48:27:1b:31:f0:2c:c4:73:8a:28:
         60:1b:e0:74:fe:9a:ff:b7:3e:6b:02:8c:3e:c3:26:e3:51:05:
         dd:b8:48:b1:30:74:60:5b:dc:57:a7:f1:bd:69:01:b4:e2:fb:
         50:59:bf:4e:8c:51:17:69:22:54:26:69:92:14:ec:9d:97:7d:
         4a:8d:c0:19:a1:3a:57:7d:74:f4:1d:0b:1c:7e:7c:f4:f6:44:
         a6:7e:63:f0:44:a0:a0:b6:ae:37:00:77:1f:b9:35:27:90:8a:
         02:34:65:82:06:4b:99:95:21:32:a2:07:b0:eb:ff:3f:7a:21:
         77:1a:62:3b:a6:30:8f:ca:97:71:3d:51:38:6e:e8:c1:64:8e:
         36:3d:2d:d2:fb:20:f3:71:1d:94:bb:35:9a:f0:11:29:0f:83:
         f9:4d:03:cb:69:2b:25:cb:8e:d6:9b:55:03:39:51:8e:e1:c6:
         f6:87:2a:36:ea:e0:63:87:48:2e:8d:89:c8:16:72:c0:1f:23:
         49:e5:dd:12:2c:87:5f:74:91:61:94:fa:aa:16:fa:72:b6:72:
         77:47:a6:67:9f:42:c8:3c:3d:ff:fd:c5:c0:59:3f:c6:82:6e:
         0c:c6:2e:d0

[cipherboy]

Closing due to lack of response. If this line appears in the logs:

possible error, but cannot return in raw response. Note that an empty CA probably means none was configured, and an empty CRL is possibly correct: error="unable to find CRL for issuer: ..."

then it is likely a dupe of #20137.