Don't try to revoke certs from PKI on perf standby (#7173)

It needs to do a write for the CRL and to move to the revoked prefix
This commit is contained in:
Jeff Mitchell 2019-07-23 08:40:08 -04:00 committed by GitHub
parent 2c65f5d313
commit 3c03f8d7e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -7,6 +7,7 @@ import (
"github.com/hashicorp/errwrap" "github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
) )
@ -50,6 +51,10 @@ func (b *backend) pathRevokeWrite(ctx context.Context, req *logical.Request, dat
return logical.ErrorResponse("The serial number must be provided"), nil return logical.ErrorResponse("The serial number must be provided"), nil
} }
if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
return nil, logical.ErrReadOnly
}
// We store and identify by lowercase colon-separated hex, but other // We store and identify by lowercase colon-separated hex, but other
// utilities use dashes and/or uppercase, so normalize // utilities use dashes and/or uppercase, so normalize
serial = strings.Replace(strings.ToLower(serial), "-", ":", -1) serial = strings.Replace(strings.ToLower(serial), "-", ":", -1)