Re: [vault] Node not active and active node not found

[Jeff Mitchell]

Hi,

I'm not sure offhand what the issue is -- upgrading may help, although at this point I'd wait for 0.7.1 as it has a different Consul fix in it and should be out very soon now. Usually though if an active node can't be found it's because the servers can't write their lock and/or active information.

I believe Consul 0.8 changed around the ACLs and some more stanzas may be required; you may want to look for Consul errors and/or errors in the Vault log that might be instructive -- see https://groups.google.com/d/msg/vault-tool/QEkAVvggf5E/EhRLYHsNBwAJ

Also, I noticed that your cluster_addr is pointing to localhost; if your Vaults are not all on the same server, you're going to want to make that address something that isn't machine-scoped.

Best,

Jeff

On Wed, May 3, 2017 at 2:24 PM, Redsmile <induja...@gmail.com> wrote:

I recently upgraded Consul to that latest version (0.8.1). 

I am seeing that the vault servers that are registered to consul throw the error that node not active and active node not found.

This is my vault-config.hcl

backend "consul" {

  address = "127.0.0.1:8500"

  path = "vault/"

  scheme = "http"

  token = "redacted"

  cluster_addr="http://127.0.0.1:8201"

}

listener "tcp" {

  address = "0.0.0.0:8200"

  tls_disable = 1

}

disable_mlock = true

What could possibly be the issue?

Please let me know if upgrading vault to latest will fix this issue. I am currently using vault 0.6.2

Thanks in advance!

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3c684162-8749-492b-b733-9175f9752ff8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Redsmile]

Hi Jeff,

I got the ACLs figured out by adding agent read permissions to the token vault was using.

To Clarify, You had mentioned the following statement:

      Also, I noticed that your cluster_addr is pointing to localhost; if your Vaults are not all on the same server, you're going to want to make that address something that isn't machine-scoped.

Can you please provide an example of the cluster_addr that isn't machine scoped?

Did you mean --> cluster_addr="http://0.0.0.1:8201"

Thanks in advance.

[Vishal Nayak]

Hi,

You should set the `cluster_addr` to an address which other Vault
nodes can reach. For example, "https://vault1.service.consul:8201".

Regards,
Vishal

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/e58e3c83-9981-4e7f-be39-2b9eb5b777f0%40googlegroups.com.

>
> For more options, visit https://groups.google.com/d/optout.

--
vn