From 84bb04eca448f81472d6dba1b241ad1a99fc60a5 Mon Sep 17 00:00:00 2001
From: Brian Kassouf <briankassouf@users.noreply.github.com>
Date: Fri, 13 Mar 2020 13:39:14 -0700
Subject: [PATCH] storage/raft: Refresh TLS keyring on snapshot restore (#8546)

---
 vault/raft.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/vault/raft.go b/vault/raft.go
index 80233e73f3..950d510af4 100644
--- a/vault/raft.go
+++ b/vault/raft.go
@@ -484,6 +484,12 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
 		// Purge the cache so we make sure we are operating on fresh data
 		c.physicalCache.Purge(ctx)
 
+		// Refresh the raft TLS keys
+		if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil {
+			c.logger.Info("failed to perform TLS key upgrades, sealing", "error", err)
+			return err
+		}
+
 		// Reload the keyring in case it changed. If this fails it's likely
 		// we've changed master keys.
 		err := c.performKeyUpgrades(ctx)