if storing the certificate, always generate/sign the certificate on t…

…he primary (#7904)
hashicorp · Dec 6, 2019 · aa32607 · aa32607
1 parent 9b8c89a
commit aa32607
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -188,6 +189,11 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
 }
 
 func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry, useCSR, useCSRValues bool) (*logical.Response, error) {
+	// If storing the certificate and on a performance standby, forward this request on to the primary
+	if !role.NoStore && b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
+		return nil, logical.ErrReadOnly
+	}
+
 	format := getFormat(data)
 	if format == "" {
 		return logical.ErrorResponse(