Skip to content
This repository has been archived by the owner on Jan 14, 2023. It is now read-only.

Writing GCCPCA CA Pool Config Fails with Error 500 #4

Open
GhostPratt opened this issue Feb 1, 2022 · 4 comments
Open

Writing GCCPCA CA Pool Config Fails with Error 500 #4

GhostPratt opened this issue Feb 1, 2022 · 4 comments

Comments

@GhostPratt
Copy link

Running Vault 1.9.2, with the 1.1.0 release of this plugin.

I've installed using the prebuilt binary following the direction provided in the README. Received Success registering and then enabling the plugin.

I am then attempting to run the following write to the configuration with of course my details filling in below.

vault write gcppca/config
pool="my-pool"
location="us-central1"
project="your-project-id"

During the run of this command I receive the following error:
Error writing data to gcppca/config: Error making API request.

URL: PUT https://vault-address:port/v1/gcppca/config
Code: 500. Errors:

  • 1 error occurred:
    * internal error

Any assistnace on this would be much appreciated, thanks!
@salrashid123
Copy link
Contributor

salrashid123 commented Feb 1, 2022
edited
Loading

if your'e running vault production locally, you shold see the log out put to stdout. (i'd recommend testing with the vault dev server just to verify and test).

anyway, when you use vaultproduction, you need to register the plugin and specify a ca-cert if you're using a custom CA for TLS as described in the repo. eg

 -args="-ca-cert=$VAULT_CACERT"

as in

vault plugin register \
    -sha256="${SHASUM}" \
    -command="vault-plugin-secrets-gcppca" \
    -args="-ca-cert=$VAULT_CACERT" secret vault-plugin-secrets-gcppca

also vault-plugin-secrets-gcppca binary needs to be executable (since vault binary 'invokes' the plugin by running it when the path is in context)

@GhostPratt
Copy link
Author

The install of the plugin has the arg poining to the CA Cert.

Checking journalctl to get the output I got this:
plugin tls init @module: secrets.vault-plugin-secrets-gcppca.vault-plugin-secrets-gcppca_#####.vault-plugin-secrets-gcppca.vault-plugin-secrets-gcppca error during token unwrap request Error making API request. Client sent an HTTP request to an HTTPS server
error rolling back @module rollback Unrecognized remote plugin message: This usually means that the plugin is either invalid or simply needs to be recompiled to support the latest protocol path gcppca

So build from source then instead of the pre-compiled version?

@salrashid123
Copy link
Contributor

Recompiling isn't necessary...i'm not sure what would cause that error (i did just verify its working end-to-end with this config):

$ vault --version
Vault v1.9.3 (7dbdd57243a0d8d9d9e07cd01eb657369f8e1b8a)

$ sha256sum /apps/vault/plugins/vault-plugin-secrets-gcppca 
9a5fa7af21615b919394f537c7e08ac20a1a2c6cd650815f6dd9f2e1554c0949  /apps/vault/plugins/vault-plugin-secrets-gcppca

$ more /apps/vault/server.conf 
backend "file" {
  path = "/apps/vault/filebackend"
}

ui = true

listener "tcp" {
  address = "vault.domain.com:8200"
  tls_cert_file = "/apps/vault/crt_vault.pem"
  tls_key_file = "/apps/vault/key_vault.pem"
}

api_addr = "https://vault.domain.com:8200"

plugin_directory = "/apps/vault/plugins"

@GhostPratt
Copy link
Author

Alright I'll play around some more there and see what's going on. The only thing that I could think of is something is wrong with the CA cert, since perms and everything else looks good.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@salrashid123 @GhostPratt