hvac.exceptions.InvalidRequest: client nonce mismatch even after deleting whitelist entry
240 views
Skip to first unread message
KIRAN PRANEETH
Dec 27, 2016, 8:45:51 PM12/27/16
to Vault
Hello All,
I deleted whitelist entry for one of the ec2 instance manually from Consul UI from aws/auth/<>/whitelist/identity . But still client connection cribs about invalid nonce. How do we clean this up? Policy that this client loads doesn't allow instance_migration but I thought deleting whitelist would remove that problem. Let me know.
Thanks in Advance
Jeff Mitchell
Dec 28, 2016, 12:45:55 PM12/28/16
to vault...@googlegroups.com
Hi Kiran,
You can't use the Consul UI to delete whitelist entries. There are
multiple indexes within the backend and by circumventing the backend's
call to do this you have likely put it into an inconsistent state.
You can try using the procedure in the "Handling Lost Client Nonces"
section in the docs
(https://www.vaultproject.io/docs/auth/aws-ec2.html) but if things are
in an inconsistent state it may not work, in which case you may just
need to start over with a new instance.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/4959d836-2f48-4bfa-9ca9-a90930b09bca%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You can't use the Consul UI to delete whitelist entries. There are
multiple indexes within the backend and by circumventing the backend's
call to do this you have likely put it into an inconsistent state.
You can try using the procedure in the "Handling Lost Client Nonces"
section in the docs
(https://www.vaultproject.io/docs/auth/aws-ec2.html) but if things are
in an inconsistent state it may not work, in which case you may just
need to start over with a new instance.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/4959d836-2f48-4bfa-9ca9-a90930b09bca%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
KIRAN PRANEETH
Dec 28, 2016, 10:45:06 PM12/28/16
to Vault
Thanks Jeff. I launched new instances but yeah vault delete <whitelistendpoint> makes lot of sense.
Reply all
Reply to author
Forward
0 new messages