pki secret engine : internal error in GUI due to audit failure

Avatar
Nitesh Kumar
  • Updated

Summary:

On vault version 1.20.x and above, PKI secrets engine UI page may return 500 / “internal error” when loading. This issue is seen specifically in the vault deployment where only audit device enabled is syslog based. 

Problem description:

When navigating to a PKI secrets engine mount (for example, pki_int) in the Vault UI on versions 1.20.x or later, the UI fails to load the PKI engine details page and shows an internal error similar to:

Ember Data Request GET /v1/pki_int/roles/example?help=1 returned a 500 Payload (application/json) { "errors": [ "internal error" ] }
internal error​

Vault server logs show errors like:

Sep 24 07:52:30 ip-172-31-1-40.us-west-1.compute.internal vault[2047585]: 2025-09-24T07:52:30.883Z [ERROR] core: failed to audit response: request_path=pki_int/roles/example
Sep 24 07:52:30 ip-172-31-1-40.us-west-1.compute.internal vault[2047585]:   error=
Sep 24 07:52:30 ip-172-31-1-40.us-west-1.compute.internal vault[2047585]:   | event not processed by enough 'sink' nodes
Sep 24 07:52:30 ip-172-31-1-40.us-west-1.compute.internal vault[2047585]:   | error writing to syslog: write unixgram @->/run/systemd/journal/dev-log: write: message too long

Note: This is not an expected behaviour, and has been logged as a bug in Hashicorp ecosystem.

Affected environment:

Vault versions: 1.20.x and above where:

  • A syslog-based audit device is enabled as the only or primary audit sink (vault audit enable syslog).
  • PKI engine is configured (for example, an intermediate CA at pki_int) with one or more roles.

Root cause:

PKI-related audit events (especially responses that include detailed role configuration and certificate metadata) can exceed the maximum message size allowed by the syslog socket or implementation. When Vault cannot successfully write the audit event to the single configured syslog audit device, the audit framework reports that the event was not processed by enough sinks. Vault then fails the corresponding API request and returns {"errors": ["internal error"]}, which is surfaced by the UI as a 500 error while loading the PKI mount view.

Customer impact:

The PKI secrets engine UI page fails to load, preventing users from:

  • Viewing PKI configuration and roles.

  • Using the UI to generate new certificates.

Workarounds:

  • Use CLI or API instead of the UI for certificate operations:

    Generate certificates and manage PKI roles via vault writevault read, and direct HTTP API calls; these operations succeed even though the UI view fails.

  • Add a non-syslog audit device (recommended):

    Enable a file-based audit device alongside syslog, so requests are still fully audited even if syslog rejects large messages. For example: vault audit enable file file_path=/var/log/vault_audit.log.

Articles in this section

See more