From fbb70c2a92fb54ab70a39d4c490f1bb208de9266 Mon Sep 17 00:00:00 2001
From: Vishal Nayak <vishalnayak@users.noreply.github.com>
Date: Tue, 22 Sep 2020 12:10:47 -0400
Subject: [PATCH] When expiration attempts to revoke a cert that's not in
 storage (perhaps due to pki tidy), don't treat that as an error.  Let the
 lease get expired. (#9880) (#10006)

Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
---
 builtin/logical/pki/crl_util.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
index 80cc497ac415..9e046ffcfc63 100644
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -80,6 +80,13 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
 			}
 		}
 		if certEntry == nil {
+			if fromLease {
+				// We can't write to revoked/ or update the CRL anyway because we don't have the cert,
+				// and there's no reason to expect this will work on a subsequent
+				// retry.  Just give up and let the lease get deleted.
+				b.Logger().Warn("expired certificate revoke failed because not found in storage, treating as success", "serial", serial)
+				return nil, nil
+			}
 			return logical.ErrorResponse(fmt.Sprintf("certificate with serial %s not found", serial)), nil
 		}