Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

/pki/tidy returns errors indicating that certificates are nil on some pki mounts #4177

Closed
protochron opened this issue Mar 21, 2018 · 4 comments
Closed

/pki/tidy returns errors indicating that certificates are nil on some pki mounts #4177

protochron opened this issue Mar 21, 2018 · 4 comments
Milestone
0.10

Comments

@protochron
Copy link

Environment:

  • Vault Version: 0.7.2
  • Operating System/Architecture: Ubuntu 14.04.5

Vault Config File:

{
  "backend": {
    "file": {
      "path": "/opt/vault/data"
    }
  },
  "listener": {
    "tcp": {
      "tls_key_file": "/etc/ssl/private/vault.key",
      "tls_cert_file": "/etc/ssl/certs/vault.crt",
      "address": "0.0.0.0:8200"
    }
  }
}

Startup Log Output:
Partial output:

2018/03/20 15:40:36.159619 [INFO ] rollback: starting rollback manager
2018/03/20 15:40:36.168195 [INFO ] expiration: restoring leases
2018/03/20 15:44:26.374946 [INFO ] expire: leases restored: restored_lease_count=769535
2018/03/20 15:44:26.381820 [INFO ] core: post-unseal setup complete

Expected Behavior:
Running curl -X POST --header '...' https://${vault-server-address}:8200/v1/pki/tidy -d '{"safety_buffer": "1440h", "tidy_cert_store": true}' should successfully clean up old certificates.

Actual Behavior:

It looks like there's a single pki mount that is unable to tidy up all of the certificates. We keep seeing an error

{"errors":["1 error occurred:\n\n* certificate entry for serial 55:93:c6:ba:32:07:92:94:84:52:09:75:94:1d:de:55:6e:49:8f:b6 is nil"]}

Having read the code, I can't figure out why we'd be seeing an issue where certificates are nil, especially when you can read the cert with the cli or by curling the pki mount after the tidy operation fails. All I can think of is that Vault is not actually able to read all of the certificates from the store or the large amount of leases that we have is somehow interfering.

Steps to Reproduce:
See above

Important Factoids:

References:
@jefferai jefferai added this to the 0.10 milestone Mar 22, 2018
@jefferai
Copy link
Member

I must admit I'm pretty stumped -- as you saw in the code, this should only happen if the actual underlying bytes for the value at that location in storage are empty. I think probably in this case we could warn and continue rather than error out, but if this function is seeing nil bytes, and fetching is seeing the full certs...I'm not sure. What storage are you using? Any chance that you're getting intermittent errors from it?

jefferai added a commit that referenced this issue Mar 29, 2018
@jefferai
Continue and warn when tidying in pki if an entry or value is nil
d3b7f19 
Ref #4177
@jefferai jefferai mentioned this issue Mar 29, 2018
Merged
@jefferai
Copy link
Member

See #4214 - if you have better ideas for how to handle this, without understanding why your entry is nil in the first place, let me know.

jefferai added a commit that referenced this issue Mar 29, 2018
@jefferai
Continue and warn when tidying in pki if an entry or value is nil (#4214
899a6e4 
)

Ref #4177
@jefferai
Copy link
Member

jefferai commented Apr 1, 2018

Closing due to #4214, if you prefer another approach I can re-open.

@jefferai jefferai closed this as completed Apr 1, 2018
@protochron
Copy link
Author

@jefferai sounds good! If I think of any other way to handle it then I'll let you know

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.10
Development

No branches or pull requests
2 participants
@jefferai @protochron