PKI Multi Issuer Functionality - Vault 1.11 and beyond - failed to persist issuer/chain to disk

Avatar
Mallika Dasanoor
  • Updated

Vault introduced Multi-Issuer Functionality in version 1.11.0, allowing a single PKI mount to manage multiple Certificate Authority (CA) certificates (issuers). This feature facilitates CA rotation, cross-signing, and seamless transitions between issuers.

 

When upgrading Vault from versions prior to 1.11.0 to 1.11.0 or later, errors may occur due to leadership migration or storage issues, such as:

error="failed to persist issuer ([id:xxxxx/name:current-xxxxxx]) chain to disk: node is not the leader"
If this error occurs, a manual rebuild of the chain can be performed using the following commands:
curl -X PATCH -H "Content-Type: application/merge-patch+json" \
-H "X-Vault-Request: true" \
-H "X-Vault-Token: $(vault print token)" \
-d '{"manual_chain":"self"}' \
https://<vault-address>/v1/pki/issuer/default

curl -X PATCH -H "Content-Type: application/merge-patch+json" \
-H "X-Vault-Request: true" \
-H "X-Vault-Token: $(vault print token)" \
-d '{"manual_chain":""}' \
https://<vault-address>/v1/pki/issuer/default
These commands temporarily set the manual_chain to a self-chain only and then revert it to automatic chain building. This refreshes the ca_chain field on the issuer.
   

Applicability

This fix is applicable only if more than one issuer exists within the PKI mount (e.g., an intermediate CA with a root CA). If there is only one issuer, this step is not required.

Verification

Run the following command to verify the chain refresh:

vault read pki/issuer/default

The output should reflect the refreshed ca_chain field.

 

References:  

Multi Issuer Functionality

Articles in this section

See more

Related articles