Vault server cannot start if the certificate does not contain a SKI

evilin13 · March 13, 2023, 10:11am

Hello,

Recently I tried to upgrade the Vault version in our product from 1.9.10 to 1.11.3 but the server fails to start with the following error:

error building CRLs: unable to build CRL for issuer (0abce9c1-0e21-bf87-3ca1-f6ec24e367f0): error creating new CRL: x509: issuer certificate doesn't contain a subject key identifier"

So far, the certificate, that is used to setup TLS in Vault, was unfortunately generated without a Subject Key Identifier. Nevertheless, all upgrades up until 1.9.x were working fine.

After the last upgrade from 1.9.10 to 1.11.3 this doesn’t work anymore and I finally overcame the issue by re-creating the certificate using the SKI extension.
Given that this breaks our product’s in-service upgrade (because there is a time window where some containers (Vault clients or Vault servers) still use the old certificate whereas others use the new one), is there a way to bypass this issue other than implementing a solution which includes the re-creation of the certificate with a SKI?

Thank you,
–Evi

maxb · March 13, 2023, 12:08pm

As you have discovered a compatibility problem with a Vault upgrade, I recommend you create a GitHub issue to report it as a bug: Issues · hashicorp/vault · GitHub

I can’t think of a workaround other than recreating the certificate - though if this is being done by replacing one certificate with another certificate with the same DN and key, it is possible that could be a zero-downtime replacement.

evilin13 · March 13, 2023, 4:43pm

Alright! Thank you very much for the prompt reply!