Failing to unseal vault with known keys
1,094 views
Skip to first unread message
Vladimir Baranov
Nov 18, 2016, 8:52:34 PM11/18/16
to Vault
Hello Vault Channel.
Our vault was properly setup and worked since March. We had 5 working keys. We have also sealed and unsealed it multiple times successfully after soft restarts. Today we had to do a hard reboot on the server and can no longer unseal the vault. It is reporting that the keys are invalid.
Code: 500. Errors:
* Unseal failed, invalid key
We have attempted to restore /vault directory from the beginning of the month, but it also was not successful.
1) we are pretty certain that the keys are correct
2) we are pretty certain that no re-keying took place
here are the dates of the key ring files and we have unseal it since then many times.
Sun Jul 10 13:36:43.0423330112 2016 ./core/_seal-config
Sun Jul 10 13:36:43.0425330148 2016 ./core/_keyring
Sun Jul 10 13:36:43.0426330165 2016 ./core/_master
Sun Jul 10 13:36:43.0427330182 2016 ./core/_mounts
Sun Jul 10 13:36:43.0429330216 2016 ./sys/policy/_default
Sun Jul 10 13:36:43.0431330250 2016 ./core/_auth
Sun Jul 10 13:36:43.0432330268 2016 ./sys/token/_salt
Sun Jul 10 13:36:43.0433330286 2016 ./core/_audit
Sun Jul 10 13:36:43.0435330322 2016 ./sys/token/accessor/_0f70a05737c2d0d807beef4e92a0e0daaadd6dea
Sun Jul 10 13:36:43.0436330340 2016 ./sys/token/id/_b21fc5af0a2c07cf43c27f755a176d4575dc5945
do you have any suggestions? version is 5.2.
Thank you
Jeff Mitchell
Nov 18, 2016, 9:57:26 PM11/18/16
to vault...@googlegroups.com
Hi Vladimir,
The fact that you're also unable to unseal your backup and that you say you've done it repeatedly before leads me to think the problem is on the client side. How are you trying to unseal...API? CLI? We've seen issues in the past with people pasting unseal keys with whitespace in front or behind causing a problem (I think on the CLI we strip this, but starting somewhere in the 0.6 series.)
Other questions:
Are both the server and client 0.5.2?
What is your Vault config?
Anything in the server logs?
Best,
Jeff
This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally prohibited from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. --
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9d24f1e3-1bdc-4a34-a354-dc9ba39686dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Vladimir Baranov
Nov 18, 2016, 10:07:43 PM11/18/16
to vault...@googlegroups.com
How are you trying to unseal...API? CLI? CLI
Are both the server and client 0.5.2? Yes
Are both the server and client 0.5.2? Yes
What is your Vault config?
[root@627581-UAT1 ~]# cat /etc/vault.d/vault.conf
backend "file" {
path = "vault_after_restart/"
}
listener "tcp" {
address = "172.24.48.166:8200"
tls_disable = 1
}
[root@627581-UAT1 ~]#
Anything in the server logs? Nothing in the server logs
I also triple checked the spaces in the keys.backend "file" {
path = "vault_after_restart/"
}
listener "tcp" {
address = "172.24.48.166:8200"
tls_disable = 1
}
[root@627581-UAT1 ~]#
Anything in the server logs? Nothing in the server logs
Vladimir Baranov
Chief Technology Officer
60 Hudson Street, Suite 1807, New York, NY 10013
M: 914 815 1305
Twitter | Facebook | LinkedIn
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/LqjGqtpKgo8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GF-HMUODxrrQ6bZsQQvWkJPbzvXNTY1Q0568VHa7bjOUA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages