When expiration attempts to revoke a cert that's not in storage (perhaps due to pki tidy), don't treat that as an error. Let the lease get expired. (#9880)

2025-11-01 19:17:58 +00:00 · 2020-09-17 16:15:03 -04:00
parent 4d6f575991
commit 1586377255
1 changed files with 7 additions and 0 deletions
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -80,6 +80,13 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
 			}
 		}
 		if certEntry == nil {
+			if fromLease {
+				// We can't write to revoked/ or update the CRL anyway because we don't have the cert,
+				// and there's no reason to expect this will work on a subsequent
+				// retry.  Just give up and let the lease get deleted.
+				b.Logger().Warn("expired certificate revoke failed because not found in storage, treating as success", "serial", serial)
+				return nil, nil
+			}
 			return logical.ErrorResponse(fmt.Sprintf("certificate with serial %s not found", serial)), nil
 		}