Issue Description:
During Vault upgrade, a UI anomaly may emerge, where PKI mounts are inaccurately reported as not configured. This occurs despite CLI confirming the opposite. This issue was seen when upgrading from v1.11.4+ent.hsm to version v1.14.1+ent.hsm
UI displays below message:
PKI not configured
This PKI mount hasn't yet been configured with a certificate issuer.There are existing roles.
Use the CLI to perform any operations with them until an issuer is configured.
This issue emerges on follower nodes that have undergone upgrade prior to the leader node's completion of upgrade process. The sequence of upgrade seems to play a role in triggering this anomaly. Changes in the DB structure during the upgrade process could have lead to this inaccuracy in the UI.
In case the issue still persists after completing the upgrading process, consider taking below troubleshooting steps:
2. Developer Tools Inspection: Initiate an inspection of the browser's developer tools for error codes and messages. In this scenario, we may observe error message below, alongside a 400 error code.
using legacy ca bundle as pki migration has not completed
3. Debug Log Analysis: Analyze Vault's debug logs to identify any recurring error messages related to the UI anomaly. Even if trace level logs do not provide immediate solutions, they can assist in pinpointing the issue.
4. PKI Mount Reload: Consider reloading the affected PKI mount. Reloading can resolve certain configuration-related issues.
5. Leader Step-Down and Reload: If the issue persists, it might be useful to perform a leader step-down and subsequently reload all PKI mounts. This can help to reset certain configurations and address anomalies.