Vault unseal fails expiration: error restoring leases: error=failed to read lease entry: decryption

1,122 views
Skip to first unread message

Yaakov Blank

unread,
Jun 10, 2018, 4:01:40 AM6/10/18
to Vault
Running vault on a virtual Windows Machine.  All was working fine until the VM crashed.

After restarting I try to unseal it seems to work.  However Vault immediately shuts down with the following error:  
"Vault unseal fails expiration: error restoring leases: error=failed to read lease entry: decryption "

Any ideas how to correct this problem?  See vault output below.

 
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "CERT-SRV01:8200", cluster address: "10.155.123.1:8201", tls: "enabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
                 Storage: file
                 Version: Vault v0.9.0
             Version Sha: bdac1854478538052ba5b7ec9a9ec688d35a3335

==> Vault server started! Log data will stream in below:

2018/06/10 00:56:02.048083 [INFO ] core: vault is unsealed
2018/06/10 00:56:02.050040 [INFO ] core: post-unseal setup starting
2018/06/10 00:56:02.051989 [INFO ] core: loaded wrapping token key
2018/06/10 00:56:02.053953 [INFO ] core: successfully setup plugin catalog: plugin-directory=
2018/06/10 00:56:02.061753 [INFO ] core: successfully mounted backend: type=kv path=secret/
2018/06/10 00:56:02.066637 [INFO ] core: successfully mounted backend: type=system path=sys/
2018/06/10 00:56:02.071506 [INFO ] core: successfully mounted backend: type=identity path=identity/
2018/06/10 00:56:02.085207 [INFO ] core: successfully mounted backend: type=pki path=pki/
2018/06/10 00:56:02.090072 [INFO ] core: successfully mounted backend: type=pki path=ME8_KMS_Sign_CSR_CA/
2018/06/10 00:56:02.096910 [INFO ] core: successfully mounted backend: type=pki path=ME8_KMS_issue_cert_CA/
2018/06/10 00:56:02.101800 [INFO ] core: successfully mounted backend: type=pki path=ME8_KMS_Sign_OEM_CSR_CA/
2018/06/10 00:56:02.105699 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2018/06/10 00:56:02.110586 [INFO ] expiration: restoring leases
2018/06/10 00:56:02.110586 [INFO ] rollback: starting rollback manager
2018/06/10 00:56:02.114494 [ERROR] expiration: error restoring leases: error=failed to read lease entry: decryption failed: cipher: message authentication failed
2018/06/10 00:56:02.126211 [ERROR] expiration: shutting down
2018/06/10 00:56:02.115472 [INFO ] identity: entities restored
2018/06/10 00:56:02.132076 [INFO ] identity: groups restored
2018/06/10 00:56:02.134990 [INFO ] core: post-unseal setup complete
2018/06/10 00:56:02.137933 [INFO ] core: pre-seal teardown starting
2018/06/10 00:56:02.141836 [INFO ] core: cluster listeners not running
2018/06/10 00:56:02.144787 [INFO ] rollback: stopping rollback manager
2018/06/10 00:56:02.146714 [INFO ] core: pre-seal teardown complete
2018/06/10 00:56:02.148675 [INFO ] core: vault is sealed



midacts

unread,
Dec 6, 2018, 11:46:11 AM12/6/18
to Vault
Anyone else having this issue?

I'd received this on two servers after our servers have rebooted for patching.
[ERROR] expiration: error restoring leases: error="failed to read lease entry: decryption failed: cipher: message authentication failed"

midacts

unread,
Dec 6, 2018, 1:24:33 PM12/6/18
to Vault
Fixed: https://github.com/hashicorp/vault/issues/4438

Jeff Mitchell

unread,
Dec 6, 2018, 1:36:11 PM12/6/18
to Vault
Hi there,

You can be more surgical about a fix than what is in that issue; if you upgrade to 1.0.0 it'll actually show you which lease(s) are causing the issue in the logs. Keep in mind every lease you delete is something Vault won't revoke or track. In more recent versionf of Vault tokens without leases are instantly invalidated if someone attempts to use them, but that won't affect any dynamic credentials they've created.

Best,
Jeff

On Thu, Dec 6, 2018 at 1:24 PM midacts <MidActs...@gmail.com> wrote:
Fixed: https://github.com/hashicorp/vault/issues/4438

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b023ec44-09f2-42aa-9c90-c5fea59825f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages