PROBLEM SUMMARY
Certificates requested from a Vault Enterprise performance replica are not imported into Venafi when role is configured to do so.
STEPS TO REPRODUCE
Set up a Vault Enterprise performance replica environment (e.g. 3-node HA cluster with 3-node performance replica HA cluster) running with debug logging
Install, register, and enable the current version of this plugin as the pki-repro/ path.
Create a default venafi-policy using vault write pki-repro/venafi-policy/default. If using a current version of this plugin include import_roles=test-role.
Create a self-signed root CA using vault write pki-repro/root/generate/internal.
Create a PKI role using vault write pki-repro/roles/test-role allow_any_name=true. If using an older version of this plugin include venafi_import=true
Request a certificate from the primary performance secondary server using vault write pki-repro/issue/test-role or vault write pki-repro/sign/test-role
Check the log on the primary performance secondary server and the zone in Venafi where the certificates should be imported.
EXPECTED RESULTS
No errors in the log and certificates issued by Vault imported into the Venafi zone.
ACTUAL RESULTS
The following "cannot write to readonly storage" error in the log and no certificates issued by Vault imported into the Venafi zone.
2020-09-16T19:17:02.182Z [DEBUG] secrets.pki-monitor-venafi.pki-monitor-venafi_9d291060.pki-monitor-venafi.pki-monitor-venafi: 2020/09/16 19:17:02 Puting certificate with serial number 6a-3d-40-99-ca-d4-25-a7-e5-de-dd-d6-69-87-46-e2-f1-e0-65-5c to the Venafi import queue
2020-09-16T19:17:02.182Z [DEBUG] secrets.pki-monitor-venafi.pki-monitor-venafi_9d291060.pki-monitor-venafi.pki-monitor-venafi: 2020/09/16 19:17:02 Unable to store certificate in import queue: cannot write to readonly storage
2020-09-16T19:17:02.182Z [DEBUG] secrets.pki-monitor-venafi.pki-monitor-venafi_9d291060.pki-monitor-venafi.pki-monitor-venafi: 2020/09/16 19:17:02 Returning sign response
PROBLEM SUMMARY Certificates requested from a Vault Enterprise performance replica are not imported into Venafi when role is configured to do so.
STEPS TO REPRODUCE
pki-repro/path.vault write pki-repro/venafi-policy/default. If using a current version of this plugin includeimport_roles=test-role.vault write pki-repro/root/generate/internal.vault write pki-repro/roles/test-role allow_any_name=true. If using an older version of this plugin includevenafi_import=truevault write pki-repro/issue/test-roleorvault write pki-repro/sign/test-roleEXPECTED RESULTS No errors in the log and certificates issued by Vault imported into the Venafi zone.
ACTUAL RESULTS The following "cannot write to readonly storage" error in the log and no certificates issued by Vault imported into the Venafi zone.
ENVIRONMENT DETAILS Vault Enterprise 1.5.3, Trust Protection Platform 20.2 or Venafi Cloud.
COMMENTS/WORKAROUNDS Something most likely needs to be added to the following code so that the primary Vault server in the cluster handles the storage. https://github.com/Venafi/vault-pki-monitor-venafi/blob/6629b612cf25de8bd428de53bb6615094bb25f4a/plugin/pki/path_issue_sign.go#L336-L347