Vault introduced Multi Issuer Functionality in 1.11.0 where it now allows a single PKI mount to have multiple Certificate Authority certificates (issuers) in a single mount for the purpose of facilitating rotation.
When Vault is being upgraded from any versions prior to 1.11.0 to 1.11.0 or beyond, if any events lead to errors similar to below (such as leadership migration or issues with storage layer)
error="failed to persist issuer ([id:xxxxx/name:current-xxxxxx]) chain to disk: node is not the leader"
a rebuild of the chain can be performed by manually running the below commands.
curl -X PATCH -H "Content-Type: application/merge-patch+json" -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"manual_chain":"self"}' https://.../issuer/default
curl -X PATCH -H "Content-Type: application/merge-patch+json" -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"manual_chain":""}' https://.../issuer/default
Keep in mind that this manual fix is applicable only if more than one issuer exists within the mount (ex: an intermediate with root)
This temporarily sets the manual chain on the default issuer to a self-chain only, before reverting it back to automatic chain building. This triggers a refresh of theca_chainfield on the issuer, and can be verified with:
vault read pki/issuer/default
Links for reference: