Vault Plugin Error When Registering

[Dan Crisp]

Hello all,

I'm attemping to register a new plugin.  However failing with below error:

# vault plugin register     -sha256="${SHA256}"     -command="vault-secrets-gen"     secret secrets-gen

Error registering plugin secrets-gen: Error making API request.

URL: PUT http://lhcsrvprdvlt01.fixnetix.com:8200/v1/sys/plugins/catalog/secret/secrets-gen
Code: 500. Errors:
* 1 error occurred:
        * could not set plugin, plugin directory is not configured

At the momment, using a simple config file:

# cat config.hcl
ui = true
listener "tcp" {
    address     = "0.0.0.0:8200"
    tls_disable = true
}
storage "consul" {
    address = "127.0.0.1:8500"
    path    = "vault" 

}
plugin_directory = "/etc/vault.d/plugins"
disable_mlock = true
api_addr = "https://127.0.0.1:8200"

Directory and perms of plugin location:

# ll /etc/vault.d/plugins/
total 12596
-rwxr-xr-x. 1 522411 89939 12894208 Jan 16 00:26 vault-secrets-gen

 

 # stat plugins/
  File: 'plugins/'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 530855      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:etc_t:s0
Access: 2020-05-28 13:46:49.283103864 +0100
Modify: 2020-05-28 13:36:39.651581825 +0100
Change: 2020-05-28 13:46:40.612797544 +0100
 Birth: -

 Vault version and detail:

# vault version
Vault v1.1.0 ('36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd')

# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch
Distributor ID: RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 7.8 (Maipo)
Release:        7.8
Codename:       Maipo

Any help here please will be appreciated.

Thanks,

Dan. 

[Tech S]

Have you tried adding slash at the end.

like plugin_directory = "/etc/vault.d/plugins/"

[Dan Crisp]

Thanks for the respone.  I added the additional slash which seemed to solve the original problem but has in turn, caused another:

# vault plugin register     -sha256="${SHA256}"     -command="vault-secrets-gen"     secret secrets-gen
Error registering plugin secrets-gen: Error making API request.
URL: PUT http://lhcsrvprdvlt01.fixnetix.com:8200/v1/sys/plugins/catalog/secret/secrets-gen

Code: 403. Errors:
* permission denied

[Dan Crisp]

Scap that!  My fault!  Was using an invalid token.  Still getting the original error:

# vault plugin register     -sha256="${SHA256}"     -command="vault-secrets-gen"     secret secrets-gen
Error registering plugin secrets-gen: Error making API request.
URL: PUT http://lhcsrvprdvlt01.fixnetix.com:8200/v1/sys/plugins/catalog/secret/secrets-gen
Code: 500. Errors:
* 1 error occurred:
        * could not set plugin, plugin directory is not configured

[Dan Crisp]

Ok I managed to resolve that issue.  

Thought I was onto a winner then something else errored:

I can now list my plugin:

# vault plugin list
Plugins
-------
...
secrets-gen
...

Managed to mount accordingly:

# vault secrets list
Path              Type           Accessor                Description
----              ----           --------                -----------
cubbyhole/        cubbyhole      cubbyhole_e834aa32      per-token private secret storage
gen/              secrets-gen    secrets-gen_36e9acfa    n/a

When I attempt write something it fails:

# vault write gen/password length=10 symbols=0
Error writing data to gen/password: Error making API request.
URL: PUT http://lhcsrvprdvlt01.fixnetix.com:8200/v1/gen/password

Code: 500. Errors:
* 1 error occurred:

        * internal error

The logs are stating the following:

2020-05-29T08:29:02.442+0100 [ERROR] core: failed to run existence check: error="plugin exited before we could connect"
2020-05-29T08:29:33.219+0100 [INFO]  expiration: revoked lease: lease_id=sys/wrapping/wrap/h948221028ee8e33ea381b9886daee6a712cf302eea122f6e33563493ef66a867
2020-05-29T08:29:37.619+0100 [ERROR] secrets.secrets-gen.secrets-gen_36e9acfa.secrets-gen.vault-secrets-gen: plugin tls init: error="error during token unwrap request: Put https://127.0.0.1:8200/v1/sys/wrapping/unwrap: http: server gave HTTP response to HTTPS client" timestamp=2020-05-29T08:29:37.619+0100
2020-05-29T08:29:37.620+0100 [ERROR] rollback: error rolling back: path=gen/ error="plugin exited before we could connect"

[Dan Crisp]

BTW.  All of what I'm attempting is derives from https://www.hashicorp.com/resources/painless-password-rotation-hashicorp-vault/ and https://github.com/sethvargo/vault-secrets-gen/issues/2

[Clint Shryock]

Hey Dan -

I was able to reproduce your issue and resolve it by changing the `api_addr` in the config file from "https://" to "http://", to match your listener which has `tls_disable` set. 

Let me know if that doesn't resolve the issue for you.

Cheers,

Clint

--
In the coming weeks, inbound messages to this group will be disabled, and it will be used for outbound announcements only. To prepare for this switch, please direct questions and conversations to our primary medium to communicate with practitioners: https://discuss.hashicorp.com/c/vault/30. We look forward to collaborating with you there!
 
GitHub Issues: https://github.com/hashicorp/vault/issues
 
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/48be9f2f-e581-4e44-b630-1b943f554273%40googlegroups.com.

[Clint Shryock]

I cut that reply a bit short, so here's some more explanation:

Plugins require `api_addr` to be set in order to communicate with Vault. In this situation, Vault is instructing the plugin to use https but Vault itself is not set up to use https and so is sending responses back without it, which triggered the error you're getting.

Cheers,

Clint

[Dan Crisp]

Hello Clint.  Thanks for your help and explaination.  Works perfectly now!  

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Clint Shryock]

Great! Thanks for following up, I'm happy you got things sorted out.

Cheers,

Clint

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1c1e5945-f7d0-4c2e-89d8-1f97e6d58212%40googlegroups.com.