Error 500 when trying to export missing certificate-chain from the transit engine

[landron]

Describe the bug
The export-key endpoint returns a 500 error with the message "selected key version does not have a certificate chain imported" when attempting to export a missing (non-imported) certificate chain. While the message is informative, the error code is misleading—it should likely be a 404. This poses challenges for us, as the issue is automatically reported as a real error, even though this behavior is expected.

To Reproduce
Python script:

"""
This script is used to test the export of the certificate chain and verify the
Vault server's 500 error response.
"""

import hvac
from packaging.version import Version
import requests

BASE_URL = "http://127.0.0.1:8200"

class VaultAPIError(requests.exceptions.RequestException):
"""Vault API Error"""

def compare_versions(version1, version2):
"""Returns: -1, 0, 1"""
return (Version(version1) > Version(version2)) - (
Version(version1) < Version(version2)
)

def export_certificate_chain(client):
"""Export Certificate Chain: not supported in hvac 2.3.0"""
url = BASE_URL + "/v1/transit/export/certificate-chain/my-transit-key"
response = requests.get(url, headers={"X-Vault-Token": client.token}, timeout=3)
if response.status_code != 200:
data = response.json()
errors = data.get("errors", [])
print(f"GET {url}: {response.status_code} - {errors}")

    assert response.status_code == 500, "500 error response expected"
    assert (
        "selected key version does not have a certificate chain imported"
        in errors[0]
    ), "expected error message"

def delete_key(client, key_name):
"""Delete key"""
client.secrets.transit.update_key_configuration(
name=key_name, deletion_allowed=True
)
client.secrets.transit.delete_key(name=key_name)

def main():
"""main"""
client = hvac.Client(url=BASE_URL, token="vault-root-token")
assert client.is_authenticated()

url = BASE_URL + "/v1/sys/version-history"
response = requests.request(
    "LIST",
    url,
    headers={
        "X-Vault-Token": "vault-root-token",
    },
    timeout=3, 
)
if response.status_code != 200:
    raise VaultAPIError(f"LIST {url}: {response.status_code} {response.text}")
version = None
data = response.json()
for key in data["data"]["keys"]:
    if not version or list(map(int, key.split("."))) > list(
        map(int, version.split("."))
    ):
        version = key
# https://developer.hashicorp.com/vault/api-docs/v1.15.x/secret/transit#export-key
assert (
    compare_versions(version, "1.15.0") >= 0
), "export CertificateChain requires 1.15.x"

if "transit/" not in client.sys.list_mounted_secrets_engines():
    client.sys.enable_secrets_engine(
        "transit", path="transit", mount_point="transit"
    )

key_name = "my-transit-key"
client.secrets.transit.create_key(
    name=key_name, exportable=True, key_type="rsa-2048"
)

try:
    export_certificate_chain(client)
except Exception:
    delete_key(client, key_name)
    raise

delete_key(client, key_name)

if name == "main":
main()

Expected behavior
While the message is informative, the error code 500 is misleading—it should likely be a 404.

Environment:

• Vault Server Version (retrieve with vault status): 1.17.2:
• Vault CLI Version (retrieve with vault version):
• Server Operating System/Architecture: Ubuntu 24.10

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context
Add any other context about the problem here.