PKI engine refuses to be deleted even after vault disable

Hi there,
Please help me, I’m going out of my mind with this!
I have an older version of Vault (1.0.3) on Consul (0.8.1) and we are doing some sanity checks/cleaning up before we upgrade.

I’m trying to remove a PKI engine, which no longer has anything (ie certs) under the path. However, it keeps coming back! The steps I took to remove are detailed below:

$ vault list -format=yaml my/ldap/pki/certs

$ vault secrets disable my/ldap/pki/
Success! Disabled the secrets engine (if it existed) at: my/ldap/pki/

$ vault secrets list
Path             Type         Accessor              Description
----             ----         --------              -----------
cubbyhole/       cubbyhole    cubbyhole_295119ab    per-token private secret storage
identity/        identity     identity_275d4e5e     identity store
pki/             pki          pki_e71d366f          n/a
secret/          generic      generic_2c3dc747      generic secret storage
my/ldap/pki/    pki          pki_97dff7b7          n/a
sys/             system       system_71e16012       system endpoints used for control, policy and debugging

As you can see, even after a successful disable, it refuses to go away and comes back when you do a vault secrets list

I also tried:

curl --header "X-Vault-Token: $TOKEN" --request DELETE https://myconsul.localhost/v1/sys/mounts/my/lda/pki --verbose

This also completes successfully but still the PKI engine persists.

Another thing I tried is :

$ vault lease revoke -force -prefix my/ldap/pki
Warning! Force-removing leases can cause Vault to become out of sync with
secret engines!
Success! Force revoked any leases with prefix: my/ldap/pki

But still, no go.
What else can I do to clean thus phantom path/engine?


Does the token have policy to delete mounts via sys/mounts?