31 lines
1.2 KiB
Plaintext
31 lines
1.2 KiB
Plaintext
|
### PKI storage migration revives deleted issuers
|
||
|
|
|
||
|
|
Vault 1.11 introduced Storage v1, a new storage layout that supported
|
||
|
|
multiple issuers within a single mount. Bug fixes in Vault 1.11.6, 1.12.2,
|
||
|
|
and 1.13.0 corrected a write-ordering issue that lead to invalid CA chains.
|
||
|
|
Specifically, incorrectly ordered writes could fail due to load, resulting
|
||
|
|
in the mount being re-migrated next time it was loaded or silently
|
||
|
|
truncating CA chains. This collection of bug fixes introduced Storage v2.
|
||
|
|
|
||
|
|
#### Affected versions
|
||
|
|
|
||
|
|
Vault may incorrectly re-migrated legacy issuers created before Vault 1.11 that
|
||
|
|
were migrated to Storage v1 and deleted before upgrading to a Vault version with
|
||
|
|
Storage v2.
|
||
|
|
|
||
|
|
The migration fails when Vault finds managed keys associated with the legacy
|
||
|
|
issuers that were removed from the managed key repository prior to the upgrade.
|
||
|
|
|
||
|
|
The migration error appears in Vault logs as:
|
||
|
|
|
||
|
|
> Error during migration of PKI mount:
|
||
|
|
> failed to lookup public key from managed key:
|
||
|
|
> no managed key found with uuid
|
||
|
|
|
||
|
|
<Note>
|
||
|
|
Issuers created in Vault 1.11+ and direct upgrades to a Storage v2 layout are
|
||
|
|
not affected.
|
||
|
|
</Note>
|
||
|
|
|
||
|
|
The Storage v1 upgrade bug was fixed in Vault 1.14.1, 1.13.5, and 1.12.9.
|