diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index 80cc497ac415..9e046ffcfc63 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -80,6 +80,13 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st } } if certEntry == nil { + if fromLease { + // We can't write to revoked/ or update the CRL anyway because we don't have the cert, + // and there's no reason to expect this will work on a subsequent + // retry. Just give up and let the lease get deleted. + b.Logger().Warn("expired certificate revoke failed because not found in storage, treating as success", "serial", serial) + return nil, nil + } return logical.ErrorResponse(fmt.Sprintf("certificate with serial %s not found", serial)), nil }