-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
failed to revoke entry (certificate not found) #9146
Comments
Hi @pellepelster, Thanks for the bug report. How are you invoking pki tidy (i.e. what arguments are you providing)? |
Hi,
|
Ok, it looks like when use This is a bug: we should make cert revocation handle this gracefully by tolerating a deleted cert when the lease entry shows it was expired. We should add warnings to the Tidy api docs as well: |
Do you think the return nil, nil approach from the initial bug is a feasible short-term solution. From our point of view it should be safe, as it tries do revoke any certs and ignores if the are not around anymore. |
I believe the answer to the above question was yes, based on #9880. I agree with this behavior and believe this shouldn't be seen much any more in newer versions of Vault. As such, I'm inclined to close this PR as resolved; feel free to reopen if anyone disagrees. Also regarding the above docs suggestion, |
Describe the bug
We are experiencing a lot of errors in the vault log around vault trying to expire leases:
Especially when starting vault this leads to thousand of error log messages and during this time the whole CRL functionality seems to be unresponsive.
To Reproduce
We were not able to figure out how we came into this position, we figured out then when we change
vault/builtin/logical/pki/crl_util.go
Line 83 in 1705214
to
return nil, nil
vault is eventually able to work through all the leases it wants to revoke. We guess we could also achieve this by issuing a forced revoke from the outside.
Expected behaviour
We are not sure if what we see is actually a problem but given the fact that this is logged as an error are questioning how we possibly came into the situation that vault wants to expire leases and is unable to find the accompanying certificates. could this be causes by vault tidy?
Additional context
We regularly run a vault tidy with very little buffer die clean up our PKIS. We are currently running vault 1.1.2, we also observed this behaviour with 1.4.2
The text was updated successfully, but these errors were encountered: