Issue and Behavior
When issuing a revoke on the Vault PKI Secrets engine, the response will return an error on Vault Follower nodes.
Example:
$ curl -s --header "X-Vault-Token: $VAULT_TOKEN" --data '{"serial_number" : "48:b6:79:f1:da:13:09:7d:8e:73:ad:XX:XX:XX:XX:XX:XX:XX:XX:XX"}' $VAULT_ADDR/v1/pki/revoke | jq
{
"errors": [
"1 error occurred:\n\t* error saving revoked certificate to new location\n\n"
]
}
The same request to the leader node will result in successful response.
$curl -s --header "X-Vault-Token: $VAULT_TOKEN" --data '{"serial_number" : "48:b6:79:f1:da:13:09:7d:8e:73:ad:XX:XX:XX:XX:XX:XX:XX:XX:XX"}' $VAULT_ADDR/v1/pki/revoke | jq
{
"request_id": "db1c779d-558b-0775-4f91-c5bac7e86245",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"revocation_time": 1679080996,
"revocation_time_rfc3339": "2023-03-17T19:23:16.69243224Z",
"state": "revoked"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Solutions
- This is a known issue in Vault version 1.13, which will be corrected in Vault 1.13.1. Upgrading to Vault 1.13.1+ will resolve the issue.
- As a workaround, direct the revoke requests to the leader node if upgrading to 1.13.1+ is not feasible.