Internal server error, when generating
con-f-use opened this issue · 16 comments
I set up the plugin (v 0.1.1), running vault v 1.8.2, according to the readme.
$ cat /vault/config/
{
"backend": {
"file": {
"path": "vault/data"
}
},
"listener": {
"tcp":{
"address": "0.0.0.0:8200",
"tls_disable": false,
"tls_cert_file": "/vault/config/vault.crt",
"tls_key_file": "/vault/config/vault.key"
}
},
"plugin_directory": "/vault/plugins",
"ui": true
}
$ setcap cap_ipc_lock=+ep /vault/plugins/vault-secrets-gen
$ vault plugin register -sha256="ddaef75e7b7653e34e8b5efebe6253381a423428b68544cd79149deaff8b5f4e" -command="vault-secrets-gen" secret secrets-gen
Success! Registered plugin: secrets-gen
$ vault secrets enable -path="gen" -plugin-name="secrets-gen" plugin
Success! Enabled the secrets-gen secrets engine at: gen/
$ $ vault write gen/passphrase words=4
Error writing data to gen/passphrase: Error making API request.
URL: PUT https://......:8200/v1/gen/passphrase
Code: 500. Errors:
* 1 error occurred:
* internal error
But all I get when trying is an internal server error.
What do the Vault server logs show
No idea how to access them inside the container. Got a hint? So far I've just managed to locate /var/log/vault_audit.log
which has nothing useful.
Ah wait, could it be that the container running Alpine is a problem because auf musl libc?
Set the log_level to debug and then it's wherever the server is writing logs (not audit logs, operational logs). If Vault is running under systemd, it'd be journalctl. If it's running in the foreground, it'd be stdout and stderr.
Looks like I need to upgrade the plugin
Released 0.1.3.
Still have the same error with version 0.1.3 @sethvargo - you might want to re-open...
What do the server logs say? I just tried it with 1.8.2 and 1.9 (head) and it works fine:
vault write gen/passphrase words=4
Key Value
--- -----
value faculty-waltz-stargazer-anyhow
They say the same thing as before: https://pastebin.com/raw/8Azvu6W0
Here's what I did:
$ curl -L -o vault-secrets-gen_0.1.3.zip https://github.com/sethvargo/vault-secrets-gen/releases/download/v0.1.3/vault-secrets-gen_0.1.3_linux_amd64.zip
$ unzip vault-secrets-gen_0.1.3.zip
$ mv vault-secrets-gen_v0.1.3 plugins/vault-secrets-gen
$ sudo setcap cap_ipc_lock=+ep plugins/vault-secrets-gen # same inside the container for good measure
$ sha256sum plugins/vault-secrets-gen
c6c43e4ffb41d414020be0490dc16700f05df14fea96fbfd9856f7c667e35503 plugins/vault-secrets-gen
$ vault plugin register -sha256="c6c43e4ffb41d414020be0490dc16700f05df14fea96fbfd9856f7c667e35503" -command="vault-secrets-gen" secret secrets-gen
Success! Registered plugin: secrets-gen
$ vault secrets enable -path="gen" -plugin-name="secrets-gen" plugin
Success! Enabled the secrets-gen secrets engine at: gen/
$ docker-compose down; docker-compose up -d
Stopping vault-consul-docker_vault_1 ... done
Removing vault-consul-docker_vault_1 ... done
Removing network vault-consul-docker_default
Creating network "vault-consul-docker_default" with the default driver
Creating vault-consul-docker_vault_1 ... done
$ vault write gen/passphrase words=4
Error writing data to gen/passphrase: Error making API request.
URL: PUT https://10.17.36.11:8200/v1/gen/passphrase
Code: 500. Errors:
* 1 error occurred:
* internal error
I'm not really sure. The TLS error is interesting because that's not related to this plugin. Are you sure your certs are configuring correctly?
Not sure what you mean, but the cert I have in the vault config file:
$ cat config/vault-config.json
{
"backend": {
"file": {
"path": "vault/data"
}
},
"listener": {
"tcp":{
"address": "0.0.0.0:8200",
"tls_disable": false,
"tls_cert_file": "/vault/config/vault.crt",
"tls_key_file": "/vault/config/vault.key"
}
},
"plugin_directory": "/vault/plugins",
"ui": true
}
are used for the vault WebUI and through the vault-cli.
Ah wait, you are right, in the docker build log there was a warning regarding the ca-certificates. I copied it to /usr/local/share/ca-cerrtificates/vault.crt
inside the container and then ran update-ca-certificates
. Now it works:
$ vault write gen/passphrase words=4
Key Value
--- -----
value shopping-superior-sheet-elite
Thanks for your help and very responsive correspondence!
Btw. why would the system, the vault runs on have to trust the vault's certificate? That doesn't seem to be a requirement for anything else and is not mentioned in the documentation afiak.
This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.