vault reset or un-initialize vault

[Adrian Paraschiv]

Hi all

I'm trying to automate vault v0.8.0 deployment (vaultproject from Hashicorp) with a consul v0.9.1 backend.

Because it is a trial and error process I need to run "vault init" a couple of times (until I get it right) and get the keys.

Unfortunately I lost the keys and the root token.

I tried to stop vault and consul service - nothing "* Vault is already initialized" and "* Vault is sealed"

I stopped vault, removed the vault path from consul, started vault - same result - and at "vault init" I receive this error:

* expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403
 

and it's creating the vault/ path again in consul and remain sealed.

How can I "reset" vault or make it UN-initialized and start over with "vault init" ?

This is the log:

Aug 10 05:01:49 TSLASOWROMM01 vault[9156]: ==> Vault server started! Log data will stream in below:
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.238436 [INFO ] core: security barrier not initialized
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.271844 [INFO ] core: security barrier initialized: shares=5 threshold=3
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.320363 [INFO ] core: post-unseal setup starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.342931 [INFO ] core: loaded wrapping token key
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.356895 [INFO ] core: successfully mounted backend: type=generic path=secret/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357342 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.357736 [INFO ] core: successfully mounted backend: type=system path=sys/
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.358293 [INFO ] rollback: starting rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.381808 [INFO ] expiration: restoring leases
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.383943 [INFO ] core: pre-seal teardown starting
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384154 [INFO ] core: cluster listeners not running
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384365 [INFO ] rollback: stopping rollback manager
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384633 [INFO ] core: pre-seal teardown complete
Aug 10 05:03:26 TSLASOWROMM01 vault[9156]: 2017/08/10 05:03:26.384909 [ERROR] core: post-unseal setup failed during init: error=expiration state restore failed: failed to scan for leases: list failed at path '': Unexpected response code: 403

[James Phillips]

Hi Adrian,

We just released Consul 0.9.2 which has a fix for that 403 error, you should definitely pick that up. Vault is storing its state in Consul, so if you shut down Vault and delete Vault's key prefix in Consul things should start clean again.

-- James

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d0430bc6-53b8-4624-85fb-728b081d9743%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nathan Basanese]

My blog post has a step by step way to follow James Phillips' suggestion, with screenshots:

https://dev.to/v6/how-to-reset-a-hashicorp-vault-back-to-zero-state-using-consul-ae

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.