sethvargo/vault-secrets-gen

Internal server error, when generating

con-f-use opened this issue · 16 comments

I set up the plugin (v 0.1.1), running vault v 1.8.2, according to the readme.

$ cat /vault/config/
{
  "backend": {
    "file": {
      "path": "vault/data"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": false,
      "tls_cert_file": "/vault/config/vault.crt",
      "tls_key_file": "/vault/config/vault.key"
    }
  },
  "plugin_directory": "/vault/plugins",
  "ui": true
}

$ setcap cap_ipc_lock=+ep /vault/plugins/vault-secrets-gen

$ vault plugin register -sha256="ddaef75e7b7653e34e8b5efebe6253381a423428b68544cd79149deaff8b5f4e" -command="vault-secrets-gen" secret secrets-gen
Success! Registered plugin: secrets-gen

$ vault secrets enable -path="gen" -plugin-name="secrets-gen" plugin
Success! Enabled the secrets-gen secrets engine at: gen/

$ $ vault write gen/passphrase words=4
Error writing data to gen/passphrase: Error making API request.

URL: PUT https://......:8200/v1/gen/passphrase
Code: 500. Errors:

* 1 error occurred:
	* internal error

But all I get when trying is an internal server error.

Tried with the latest plugin version 0.1.2 as well, same result. I'm running vault from within a docker container, if that makes any difference.

image

What do the Vault server logs show

No idea how to access them inside the container. Got a hint? So far I've just managed to locate /var/log/vault_audit.log which has nothing useful.

Ah wait, could it be that the container running Alpine is a problem because auf musl libc?

Set the log_level to debug and then it's wherever the server is writing logs (not audit logs, operational logs). If Vault is running under systemd, it'd be journalctl. If it's running in the foreground, it'd be stdout and stderr.

Looks like I need to upgrade the plugin

Released 0.1.3.

Still have the same error with version 0.1.3 @sethvargo - you might want to re-open...

What do the server logs say? I just tried it with 1.8.2 and 1.9 (head) and it works fine:

vault write gen/passphrase words=4
Key      Value
---      -----
value    faculty-waltz-stargazer-anyhow

They say the same thing as before: https://pastebin.com/raw/8Azvu6W0

Here's what I did:

$ curl -L -o vault-secrets-gen_0.1.3.zip https://github.com/sethvargo/vault-secrets-gen/releases/download/v0.1.3/vault-secrets-gen_0.1.3_linux_amd64.zip

$ unzip vault-secrets-gen_0.1.3.zip
$ mv vault-secrets-gen_v0.1.3 plugins/vault-secrets-gen

$ sudo setcap cap_ipc_lock=+ep plugins/vault-secrets-gen  # same inside the container for good measure

$ sha256sum plugins/vault-secrets-gen 
c6c43e4ffb41d414020be0490dc16700f05df14fea96fbfd9856f7c667e35503  plugins/vault-secrets-gen

$ vault plugin register -sha256="c6c43e4ffb41d414020be0490dc16700f05df14fea96fbfd9856f7c667e35503" -command="vault-secrets-gen" secret secrets-gen
Success! Registered plugin: secrets-gen

$ vault secrets enable -path="gen" -plugin-name="secrets-gen" plugin
Success! Enabled the secrets-gen secrets engine at: gen/

$ docker-compose down; docker-compose up -d
Stopping vault-consul-docker_vault_1 ... done
Removing vault-consul-docker_vault_1 ... done
Removing network vault-consul-docker_default
Creating network "vault-consul-docker_default" with the default driver
Creating vault-consul-docker_vault_1 ... done

$ vault write gen/passphrase words=4
Error writing data to gen/passphrase: Error making API request.

URL: PUT https://10.17.36.11:8200/v1/gen/passphrase
Code: 500. Errors:

* 1 error occurred:
	* internal error

I'm not really sure. The TLS error is interesting because that's not related to this plugin. Are you sure your certs are configuring correctly?

Not sure what you mean, but the cert I have in the vault config file:

$ cat config/vault-config.json 
{
  "backend": {
    "file": {
      "path": "vault/data"
    }
  },
  "listener": {
    "tcp":{
      "address": "0.0.0.0:8200",
      "tls_disable": false,
      "tls_cert_file": "/vault/config/vault.crt",
      "tls_key_file": "/vault/config/vault.key"
    }
  },
  "plugin_directory": "/vault/plugins",
  "ui": true
}

are used for the vault WebUI and through the vault-cli.

Ah wait, you are right, in the docker build log there was a warning regarding the ca-certificates. I copied it to /usr/local/share/ca-cerrtificates/vault.crt inside the container and then ran update-ca-certificates. Now it works:

$ vault write gen/passphrase words=4
Key      Value
---      -----
value    shopping-superior-sheet-elite

Thanks for your help and very responsive correspondence!

Btw. why would the system, the vault runs on have to trust the vault's certificate? That doesn't seem to be a requirement for anything else and is not mentioned in the documentation afiak.

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.