From 18b7b1139a4009b3788d0fb6c498b7718fadaa84 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 23 Jul 2019 08:36:41 -0400 Subject: [PATCH] Don't try to revoke certs from PKI on perf standby It needs to do a write for the CRL and to move to the revoked prefix --- builtin/logical/pki/path_revoke.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index e23aadcafe9f..1906e24bb254 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -7,6 +7,7 @@ import ( "github.com/hashicorp/errwrap" "github.com/hashicorp/vault/sdk/framework" + "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/logical" ) @@ -50,6 +51,10 @@ func (b *backend) pathRevokeWrite(ctx context.Context, req *logical.Request, dat return logical.ErrorResponse("The serial number must be provided"), nil } + if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) { + return nil, logical.ErrReadOnly + } + // We store and identify by lowercase colon-separated hex, but other // utilities use dashes and/or uppercase, so normalize serial = strings.Replace(strings.ToLower(serial), "-", ":", -1)