While issuing a server certificate if you receive the following error:
$ vault write pki/issue/server-certificates common_name=test.example.com
Error writing data to pki/issue/server-certificates: Error making API request.
URL: PUT https://$VAULT_ADDR/v1/pki/issue/server-certificates
Code: 500. Errors:
* 2 errors occurred:
* errors from both primary and secondary; primary error was error
fetching CA certificate: stored CA information not able to be parsed;
secondary errors follow
* error fetching CA certificate: stored CA information not able to be parsed
This could be because of any accidental change majorly in your Intermediate CA (ICA).
For example, if you accidentally execute /intermediate/generate/internal
endpoint that generates the intermediate CA's CSR along with the private key which only Vault knows in case of internal
, the existing ICA gets corrupted due to the change in the private key hence any operation through this ICA will fail.
The only solution is to reconfigure the ICA and then get it signed with the Root CA.
To mitigate this happening again, it is advised that we immediately plan for a Vault version upgrade to a minimum version 1.11.x which doesn't have this risky behavior anymore, due to multi-issuer/safe CA rotation functionality.