During Vault upgrade, a UI anomaly may emerge, where PKI mounts are inaccurately reported as not configured. This occurs despite CLI confirming the opposite.
UI displays below message:
PKI not configured
This PKI mount hasn't yet been configured with a certificate issuer.There are existing roles.
Use the CLI to perform any operations with them until an issuer is configured.
This issue emerges on follower nodes that have undergone upgrade prior to the leader node's completion of upgrade process. The sequence of upgrade seems to play a role in triggering this anomaly. Changes in the DB structure during the upgrade process could have lead to this inaccuracy in the UI.
1. Complete Upgrade Process: The most effective solution to resolve the UI anomaly is to ensure that the entire Vault upgrade process is completed, including upgrading all follower nodes and the leader node.
In case the issue still persists after completing the upgrading process, consider taking below troubleshooting steps:
2. Developer Tools Inspection: Initiate an inspection of the browser's developer tools for error codes and messages. In this scenario, we may observe error message below, alongside a 400 error code.
using legacy ca bundal as pki migration has not completed
3. Debug Log Analysis: Analyze Vault's debug logs to identify any recurring error messages related to the UI anomaly. Even if trace level logs do not provide immediate solutions, they can assist in pinpointing the issue.
4. PKI Mount Reload: Consider reloading the affected PKI mount. Reloading can resolve certain configuration-related issues.
5. Leader Step-Down and Reload: If the issue persists, it might be useful to perform a leader step-down and subsequently reload all PKI mounts. This can help to reset certain configurations and address anomalies.