Load existing CRLs on startup and after invalidate (#17138)

* Load existing CRLs on startup and after invalidate * changelog
2025-10-29 01:32:33 +00:00 · 2022-09-14 14:30:44 -06:00
parent 20eddffb60
commit f4fa806489
3 changed files with 12 additions and 0 deletions
--- a/builtin/credential/cert/backend.go
+++ b/builtin/credential/cert/backend.go
@@ -14,6 +14,9 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 	if err := b.Setup(ctx, conf); err != nil {
 		return nil, err
 	}
+	if err := b.populateCRLs(ctx, conf.StorageView); err != nil {
+		return nil, err
+	}
 	return b, nil
 }

--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -82,6 +82,12 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 		return nil, err
 	}

+	if b.crls == nil {
+		if err := b.populateCRLs(ctx, req.Storage); err != nil {
+			return nil, err
+		}
+	}
+
 	var matched *ParsedCert
 	if verifyResp, resp, err := b.verifyCredentials(ctx, req, data); err != nil {
 		return nil, err
--- a/changelog/17138.txt
+++ b/changelog/17138.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit.
+```