Skip to content

Commit

Permalink
When expiration attempts to revoke a cert that's not in storage (perh…
Browse files Browse the repository at this point in the history
…aps due to pki tidy), don't treat that as an error. Let the lease get expired. (#9880) (#10006)

Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
  • Loading branch information
vishalnayak and ncabatoff authored Sep 22, 2020
1 parent a3053be commit fbb70c2
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions builtin/logical/pki/crl_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,13 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
}
}
if certEntry == nil {
if fromLease {
// We can't write to revoked/ or update the CRL anyway because we don't have the cert,
// and there's no reason to expect this will work on a subsequent
// retry. Just give up and let the lease get deleted.
b.Logger().Warn("expired certificate revoke failed because not found in storage, treating as success", "serial", serial)
return nil, nil
}
return logical.ErrorResponse(fmt.Sprintf("certificate with serial %s not found", serial)), nil
}

Expand Down

0 comments on commit fbb70c2

Please sign in to comment.