Vault TLS 错误导致保管库无法进入活动模式

问题描述 投票:0回答:1

我们的Vault集群遇到了一个奇怪的问题,其中Vault没有进入活动模式并抛出一些TLS错误,我对正在发生的事情有点茫然。该集群使用 AWS dynamodb 作为后端。

错误如下(这里以调试模式显示):

/usr/local/bin/vault server -config=/etc/vault.d/vault_main.hcl -log-level=debug
WARNING! The following cipher suites defined by 'tls_cipher_suites' are
blacklisted by the HTTP/2 specification:
[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA]
Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.
==> Vault server configuration:

           AWS KMS KeyID: <KMS_ID>
          AWS KMS Region: us-east-1
              HA Storage: consul
               Seal Type: awskms
             Api Address: https://vault.service.awseast.consulstage:8200
                     Cgo: disabled
         Cluster Address: https://vault.service.awseast.consulstage:8201
              Listener 1: tcp (addr: "172.21.32.10:8200", cluster address: "172.21.32.10:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
               Log Level: debug
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: dynamodb
                 Version: Vault v1.3.3

==> Vault server started! Log data will stream in below:

2021-04-28T16:02:11.995-0400 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2021-04-28T16:02:12.109-0400 [DEBUG] config path set: path=vault
2021-04-28T16:02:12.109-0400 [WARN]  appending trailing forward slash to path
2021-04-28T16:02:12.109-0400 [DEBUG] config disable_registration set: disable_registration=false
2021-04-28T16:02:12.109-0400 [DEBUG] config service set: service=vault
2021-04-28T16:02:12.109-0400 [DEBUG] config service_tags set: service_tags=
2021-04-28T16:02:12.109-0400 [DEBUG] config service_address set: service_address=<nil>
2021-04-28T16:02:12.109-0400 [DEBUG] config address set: address=127.0.0.1:8500
2021-04-28T16:02:12.109-0400 [DEBUG] storage.cache: creating LRU cache: size=0
2021-04-28T16:02:12.110-0400 [DEBUG] cluster listener addresses synthesized: cluster_addresses=[172.21.32.10:8201]
2021-04-28T16:02:12.147-0400 [INFO]  core: stored unseal keys supported, attempting fetch
2021-04-28T16:02:12.177-0400 [DEBUG] core: unseal key supplied
2021-04-28T16:02:12.193-0400 [DEBUG] core: starting cluster listeners
2021-04-28T16:02:12.193-0400 [INFO]  core.cluster-listener: starting listener: listener_address=172.21.32.10:8201
2021-04-28T16:02:12.193-0400 [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=172.21.32.10:8201
2021-04-28T16:02:12.193-0400 [INFO]  core: entering standby mode
2021-04-28T16:02:12.196-0400 [INFO]  core: vault is unsealed
2021-04-28T16:02:12.196-0400 [INFO]  core: unsealed with stored keys: stored_keys_used=1
2021-04-28T16:02:12.433-0400 [DEBUG] core: parsing information for new active node: active_cluster_addr=https://vault.service.awseast.consulstage:8201 active_redirect_addr=https://vault.service.awseast.consulstage:8200
2021-04-28T16:02:12.433-0400 [DEBUG] core: refreshing forwarding connection
2021-04-28T16:02:12.433-0400 [DEBUG] core: clearing forwarding clients
2021-04-28T16:02:12.433-0400 [DEBUG] core: done clearing forwarding clients
2021-04-28T16:02:12.434-0400 [DEBUG] core: done refreshing forwarding connection
2021-04-28T16:02:12.434-0400 [DEBUG] core: creating rpc dialer: host=fw-c9349236-9c5d-5c26-13c1-1a1cce4bd848
2021-04-28T16:02:12.447-0400 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=[req_fw_sb-act_v1]
2021-04-28T16:02:12.447-0400 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"
2021-04-28T16:02:12.447-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.447-0400 [ERROR] core: forward request error: error="error during forwarding RPC request"
2021-04-28T16:02:12.447-0400 [DEBUG] core: forwarding: error sending echo request to active node: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.490-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.490-0400 [ERROR] core: forward request error: error="error during forwarding RPC request"
2021-04-28T16:02:12.553-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.553-0400 [ERROR] core: forward request error: error="error during forwarding RPC request"
2021-04-28T16:02:12.597-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""

我们的配置如下所示:

[root@tf-vault-server-stage-ip-172-21-32-10 tls]# cat /etc/vault.d/vault_main.hcl
cluster_name = "awseast"
max_lease_ttl = "768h"
default_lease_ttl = "768h"
api_addr = "https://vault.service.awseast.consulstage:8200"
#api_addr = "https://172.21.32.10:8200"
disable_mlock = true
ui = true

listener "tcp" {
  address = "172.21.32.10:8200"
    tls_cert_file = "/etc/vault.d/tls/vault.crt"
    tls_key_file  = "/etc/vault.d/tls/vault.key"
    tls_min_version  = "tls12"
    tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
    tls_prefer_server_cipher_suites = "false"
  tls_disable = "false"
}

storage "dynamodb" {
  ha_enabled = "true"
  region     = "us-east-1"
  table      = "tf-vault-server-stage-vault-dynamodb-table"
}

ha_storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault"
}

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "<kms_key_id>"
}

任何帮助将不胜感激!谢谢!

devops hashicorp-vault vault hashicorp
1个回答
0
投票

我在 DynamoDB 的 HA 模式下遇到过类似的问题。 解决这个问题的方法是删除所有与该模式匹配的登录会话

sys/expire/id/auth/<AUTHMOUNTPATH>/login/...
它又起作用了。这是解决这个混乱局面的唯一方法。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.