Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic/crash on "unknown cert key type [email protected]" #2877

Closed
bkrodgers opened this issue Jun 15, 2017 · 23 comments · Fixed by #3072
Closed

Panic/crash on "unknown cert key type [email protected]" #2877

bkrodgers opened this issue Jun 15, 2017 · 23 comments · Fixed by #3072
Milestone
0.8.0

Comments

@bkrodgers
Copy link
Contributor

We just started using the SSH CA backend, and today Vault crashed on me with this:

Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: panic: unknown cert key type [email protected]
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: goroutine 1188208 [running]:
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0xc4205766e8, 0xc422947400, 0x48d)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:480 +0x124
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Marshal(0xc4205766e8, 0xc4230b0fa0, 0xc4205767d0, 0xc420576740)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:468 +0x34e
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).bytesForSigning(0xc422321290, 0x2696bc0, 0xc423912480, 0x20)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:438 +0x6b
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).SignCert(0xc422321290, 0x2686ac0, 0xc42000e240, 0x268ffc0, 0xc4230b0e80
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:407 +0x104
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*creationBundle).sign(0xc420576b48, 0x68f, 0x700, 0x268ffc0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:408 +0x2b1
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSignCertificate(0xc4204e0a00, 0xc421529500, 0xc420b25a50, 0xc422ca0a20, 0x7, 0xc42
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:177 +0x10e4
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSign(0xc4204e0a00, 0xc421529500, 0xc420b25a50, 0x5010104, 0x0, 0xffffffffffffffff)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:98 +0x31b
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).(github.com/hashicorp/vault/builtin/logical/ssh.pathSign)-fm(0xc421529500, 0xc420b25a5
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:38 +0x3e
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc4209fc8f0, 0xc421529500, 0xc421529500, 0xc423129664, 0x10)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/logical/framework/backend.go:221 +0x4c8
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc42000e870, 0xc421529500, 0x0, 0x0, 0x5000000, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:326 +0x636
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Router).Route(0xc42000e870, 0xc421529500, 0xc421529500, 0xc420e80240, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:218 +0x3a
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc4201b7c00, 0xc421529500, 0x0, 0x0, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:188 +0xb10
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Core).HandleRequest(0xc4201b7c00, 0xc421529500, 0x0, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:45 +0xc77
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.request(0xc4201b7c00, 0x2693e40, 0xc4231298a0, 0xc425391900, 0xc421529500, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:209 +0x3c
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.handleLogical.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/logical.go:121 +0xfb
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f25c0, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.handleRequestForwarding.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:168 +0x761
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f25e0, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.(*ServeMux).ServeHTTP(0xc4203a40f0, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2238 +0x130
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.wrapHelpHandler.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/help.go:22 +0x17f
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f2620, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.wrapGenericHandler.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:86 +0xb1
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f2640, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*forwardedRequestRPCServer).ForwardRequest(0xc420e68480, 0x7f511f6e9f90, 0xc424c054a0, 0xc42043b3b0, 0xc420e68
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding.go:355 +0x149
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault._RequestForwarding_ForwardRequest_Handler(0x180aea0, 0xc420e68480, 0x7f511f6e9f90, 0xc424c054a0, 0xc421532280, 
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding_service.pb.go:148 +0x28d
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc4209c4140, 0x269d760, 0xc4221ff5c0, 0xc425391800, 0xc420e8
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:791 +0xc41
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).handleStream(0xc4209c4140, 0x269d760, 0xc4221ff5c0, 0xc425391800, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:991 +0x15a6
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc4213e44b0, 0xc4209c4140, 0x269d760, 0xc4221ff5c0, 0xc
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:561 +0xa9
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: created by github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).serveStreams.func1
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:562 +0xa1

I can see where in https://github.com/golang/crypto/blob/master/ssh/certs.go it throws this message with a panic. Without even worrying about how a user ended up passing in a cert that triggered that or considering if that should be a supported key type, my top concern is why it crashes the Vault instance completely. Seems like it should be caught and reported as an error without any impact on the process.
@jefferai
Copy link
Member

Are you sure it crashed the Vault instance completely? Panics generally crash only the request. e.g. if I want to do some debugging on a code path and put in a panic, I can send request after request down there and each one will generate a trace, and I can run other requests with no issue.

As for why it panics, sadly the documentation for the function makes no indication that it can panic: // Type returns the key name. It is part of the PublicKey interface. Usually the Go contract is if a library can panic it must declare it.

Any chance you could send the cert, or tell us how you created it? That's a valid cert type, so I'd like to introspect such a cert. Was it created within the backend or did you pass it in?

@jefferai jefferai added this to the 0.7.4 milestone Jun 16, 2017
@bkrodgers
Copy link
Contributor Author

Yeah, after the request that node stopped handling requests, and I had to restart Vault to get it back up. I didn't check to see if the process had fully died -- i suspect it did not, as systemd didn't catch it and restart it itself. But it wasn't listening on its port anymore when I tried to do vault status against it.

I need to get the key from the user that triggered this, or find out more about how he created his. I haven't yet been able to reproduce it on my own without info from them. But it did crash 3 times yesterday (hurray for HA!).

@jefferai
Copy link
Member

That is odd... I've never seen a panic take down the listening port. Please do let us know about the key generation, in the mean time we can add a recover to catch the panic.

@jefferai
Copy link
Member

@bkrodgers Also it'd be useful to know if the stacktraces are all the same, e.g. is it always from signing the cert, or sometimes from other functions.

jefferai added a commit that referenced this issue Jun 16, 2017
@jefferai
Go's SSH library can panic without warning; recover.
0ee100e 
Ping #2877 -- but don't close yet in case there are more places.
@bkrodgers
Copy link
Contributor Author

This is odd -- it seems like it doesn't always crash it. I see panics that didn't cause the server to go down, but when it does go down the panic stack trace is the last thing logged. The difference I see is that in the instances where it does not crash, the stack trace starts with:

 github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).runHandler.func1(0xc42000c108, 0xc420651faf, 0xc426246540)
         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:2046 +0x190
 panic(0x16eeee0, 0xc42649cb70)
         /usr/local/Cellar/go/1.8.3/libexec/src/runtime/panic.go:489 +0x2cf

In this instances where it does crash, the stack trace starts with this, which is also what comes after the above lines in non-crash events:

github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0xc4207de6e8, 0xc424552500, 0x48d)
         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:480 +0x124
 github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Marshal(0xc4207de6e8, 0xc42140a4c0, 0xc4207de7d0, 0xc4207de740)

If you want to see full logs from all three of my instances, I'm happy to email them to you.

I'm still trying to track down what's different about keys that aren't working. One of my users regenerated his before I reached him and the new one worked. And as you pointed out, [email protected] is a valid key type.

@bkrodgers
Copy link
Contributor Author

Breakthrough!

The message that [email protected] was an invalid key type comes from the Type function in certs.go. Here it's looking up the certificate algorithm for a given key algorithm. The input should be, for example, ssh-rsa, but the error message (which prints the input) shows that the input was actually [email protected], which is the type of value that function looks up.

I suspect that somehow a user sent a signed certificate into Vault to be signed, instead of the unsigned public key. Sure enough, if I do the command below, I can generate the panic.

vault write -field signed_key ssh/sign/<role> public_key=@$HOME/.ssh/id_rsa-cert.pub

So the root cause is user error. However, are we confident the recover will keep it from crashing? I assume so, but the inconsistent behavior on when it crashes and when it doesn't (and the slightly different stack trace I posted above) still seems odd.

@bkrodgers
Copy link
Contributor Author

Also I wonder if it'd be good to do something to detect that the user passed a cert in instead of a public key and return them an error that indicates that's what they did.

@jefferai
Copy link
Member

Hi Brian,

Thanks for all the debugging! Any chance I can get both full stacktraces?

@bkrodgers
Copy link
Contributor Author

Crashes Vault:

Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: panic: unknown cert key type [email protected]
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: goroutine 1188208 [running]:
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0xc4205766e8, 0xc422947400, 0x48d)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:480 +0x124
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Marshal(0xc4205766e8, 0xc4230b0fa0, 0xc4205767d0, 0xc420576740)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:468 +0x34e
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).bytesForSigning(0xc422321290, 0x2696bc0, 0xc423912480, 0x20)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:438 +0x6b
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).SignCert(0xc422321290, 0x2686ac0, 0xc42000e240, 0x268ffc0, 0xc4230b0e80, 0xc4075de2c0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:407 +0x104
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*creationBundle).sign(0xc420576b48, 0x68f, 0x700, 0x268ffc0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:408 +0x2b1
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSignCertificate(0xc4204e0a00, 0xc421529500, 0xc420b25a50, 0xc422ca0a20, 0x7, 0xc422ca0a20, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:177 +0x10e4
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSign(0xc4204e0a00, 0xc421529500, 0xc420b25a50, 0x5010104, 0x0, 0xffffffffffffffff)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:98 +0x31b
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).(github.com/hashicorp/vault/builtin/logical/ssh.pathSign)-fm(0xc421529500, 0xc420b25a50, 0x0, 0x6, 0xc4209fc638)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:38 +0x3e
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc4209fc8f0, 0xc421529500, 0xc421529500, 0xc423129664, 0x10)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/logical/framework/backend.go:221 +0x4c8
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc42000e870, 0xc421529500, 0x0, 0x0, 0x5000000, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:326 +0x636
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Router).Route(0xc42000e870, 0xc421529500, 0xc421529500, 0xc420e80240, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:218 +0x3a
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc4201b7c00, 0xc421529500, 0x0, 0x0, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:188 +0xb10
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*Core).HandleRequest(0xc4201b7c00, 0xc421529500, 0x0, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:45 +0xc77
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.request(0xc4201b7c00, 0x2693e40, 0xc4231298a0, 0xc425391900, 0xc421529500, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:209 +0x3c
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.handleLogical.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/logical.go:121 +0xfb
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f25c0, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.handleRequestForwarding.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:168 +0x761
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f25e0, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.(*ServeMux).ServeHTTP(0xc4203a40f0, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2238 +0x130
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.wrapHelpHandler.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/help.go:22 +0x17f
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f2620, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/http.wrapGenericHandler.func1(0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:86 +0xb1
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: net/http.HandlerFunc.ServeHTTP(0xc4203f2640, 0x2693e40, 0xc4231298a0, 0xc425391900)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault.(*forwardedRequestRPCServer).ForwardRequest(0xc420e68480, 0x7f511f6e9f90, 0xc424c054a0, 0xc42043b3b0, 0xc420e68480, 0x720, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding.go:355 +0x149
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vault._RequestForwarding_ForwardRequest_Handler(0x180aea0, 0xc420e68480, 0x7f511f6e9f90, 0xc424c054a0, 0xc421532280, 0x0, 0x0, 0x0, 0xc425391400, 0xc4201601e0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding_service.pb.go:148 +0x28d
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc4209c4140, 0x269d760, 0xc4221ff5c0, 0xc425391800, 0xc420e804e0, 0x26e86c0, 0x0, 0x0, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:791 +0xc41
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).handleStream(0xc4209c4140, 0x269d760, 0xc4221ff5c0, 0xc425391800, 0x0)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:991 +0x15a6
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc4213e44b0, 0xc4209c4140, 0x269d760, 0xc4221ff5c0, 0xc425391800)
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:561 +0xa9
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]: created by github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).serveStreams.func1
Jun 15 17:48:57 ip-10-183-2-238.ec2.internal bash[1873]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:562 +0xa1

Does not crash vault:

Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: 2017/06/15 21:15:50 http2: panic serving 10.183.1.218:2173: unknown cert key type [email protected]
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: goroutine 404161 [running]:
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).runHandler.func1(0xc42000cde8, 0xc420651faf, 0xc4249fae00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:2046 +0x190
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: panic(0x16eeee0, 0xc42531a4d0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/runtime/panic.go:489 +0x2cf
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0xc420650c00, 0xc4200e8f00, 0x48d)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:480 +0x124
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Marshal(0xc420650c00, 0xc425374980, 0xc420650ce8, 0xc420650c58)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:468 +0x34e
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).bytesForSigning(0xc42128ebb0, 0x2696bc0, 0xc4210591a0, 0x20)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:438 +0x6b
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).SignCert(0xc42128ebb0, 0x2686ac0, 0xc42000e240, 0x268ffc0, 0xc4253748c0, 0xc416a3267c, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:407 +0x104
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/builtin/logical/ssh.(*creationBundle).sign(0xc420651060, 0x68f, 0x700, 0x268ffc0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:408 +0x2b1
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSignCertificate(0xc4203febc0, 0xc424016000, 0xc42537fcf0, 0xc421b9b9e0, 0x7, 0xc421b9b9e0, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:177 +0x10e4
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSign(0xc4203febc0, 0xc424016000, 0xc42537fcf0, 0x8010101, 0x1, 0xffffffffffffffff)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:98 +0x31b
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).(github.com/hashicorp/vault/builtin/logical/ssh.pathSign)-fm(0xc424016000, 0xc42537fcf0, 0x0, 0x6, 0xc420826f28)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:38 +0x3e
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc420827380, 0xc424016000, 0xc424016000, 0xc4253ac9e4, 0x10)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/logical/framework/backend.go:221 +0x4c8
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc420168f00, 0xc424016000, 0x0, 0x0, 0x3000000, 0x0, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:326 +0x636
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vault.(*Router).Route(0xc420168f00, 0xc424016000, 0xc424016000, 0xc42095a870, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:218 +0x3a
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc420425c00, 0xc424016000, 0x0, 0x0, 0x0, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:188 +0xb10
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vault.(*Core).HandleRequest(0xc420425c00, 0xc424016000, 0x0, 0x0, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:45 +0xc77
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/http.request(0xc420425c00, 0x2696d00, 0xc42000cde8, 0xc42560ba00, 0xc424016000, 0x0, 0x0)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:209 +0x3c
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/http.handleLogical.func1(0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/logical.go:121 +0xfb
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.HandlerFunc.ServeHTTP(0xc420440440, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/http.handleRequestForwarding.func1(0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:168 +0x761
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.HandlerFunc.ServeHTTP(0xc420440460, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.(*ServeMux).ServeHTTP(0xc4201698f0, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2238 +0x130
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/http.wrapHelpHandler.func1(0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/help.go:22 +0x17f
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.HandlerFunc.ServeHTTP(0xc4204404a0, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/http.wrapGenericHandler.func1(0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:86 +0xb1
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.HandlerFunc.ServeHTTP(0xc4204404c0, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.serverHandler.ServeHTTP(0xc4201cbc30, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2568 +0x92
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.initNPNRequest.ServeHTTP(0xc420fefc00, 0xc4201cbc30, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:3088 +0x93
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.(*initNPNRequest).ServeHTTP(0xc425391df0, 0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         <autogenerated>:312 +0x74
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: net/http.(Handler).ServeHTTP-fm(0x2696d00, 0xc42000cde8, 0xc42560ba00)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/h2_bundle.go:4331 +0x4d
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).runHandler(0xc4249fae00, 0xc42000cde8, 0xc42560ba00, 0xc4253aca40)
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:2053 +0x89
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]: created by github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).processHeaders
Jun 15 21:15:50 ip-10-183-0-21.ec2.internal bash[1923]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:1787 +0x4ac

@bkrodgers
Copy link
Contributor Author

bkrodgers commented Jun 19, 2017
edited
Loading

Also, I checked out master with your patch above, and still get a panic. Message is different though. I have not seen Vault completely crash in my testing locally.

Reproduction steps, assuming you already have a cert at $HOME/.ssh/id_rsa-cert.pub. clientssh is the json structure out of the docs:

~/go/src/github.com/hashicorp/vault/bin/vault server -dev &
vault mount ssh
vault write -f ssh/config/ca
vault write ssh/roles/test @clientssh

vault write -field signed_key ssh/sign/test public_key=@$HOME/.ssh/id_rsa-cert.pub

Trace:

C02MN3HDFD57:stax-vault-2 bkrodg$ 2017/06/19 18:10:31 http: panic serving 127.0.0.1:53346: runtime error: invalid memory address or nil pointer dereference
goroutine 23 [running]:
net/http.(*conn).serve.func1(0xc4209cfea0)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1721 +0xd0
panic(0x2423c00, 0x332cec0)
	/usr/local/Cellar/go/1.8.3/libexec/src/runtime/panic.go:489 +0x2cf
github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0x0, 0xc4203d98f0, 0x13dc6fae01f0aa80)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:478 +0x26
github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.MarshalAuthorizedKey(0x32ded40, 0x0, 0x0, 0x0, 0xc42019c160)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/keys.go:264 +0x4f
github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSignCertificate(0xc4209f6480, 0xc420152e00, 0xc420011e80, 0xc4208dd680, 0x4, 0xc4208dd680, 0x0)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:182 +0x1119
github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSign(0xc4209f6480, 0xc420152e00, 0xc420011e80, 0x6010103, 0x1, 0xffffffffffffffff)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:98 +0x31b
github.com/hashicorp/vault/builtin/logical/ssh.(*backend).(github.com/hashicorp/vault/builtin/logical/ssh.pathSign)-fm(0xc420152e00, 0xc420011e80, 0x0, 0x6, 0xc4206450c8)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:38 +0x3e
github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc420645380, 0xc420152e00, 0xc420152e00, 0xc42000ae08, 0xd)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/logical/framework/backend.go:221 +0x4c8
github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc4206b2740, 0xc420152e00, 0x0, 0x0, 0x0, 0x0, 0x0)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:348 +0x636
github.com/hashicorp/vault/vault.(*Router).Route(0xc4206b2740, 0xc420152e00, 0xc420152e00, 0xc4204d8360, 0x0)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:240 +0x3a
github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc4204a7800, 0xc420152e00, 0x0, 0x0, 0x0, 0x0)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:188 +0xb10
github.com/hashicorp/vault/vault.(*Core).HandleRequest(0xc4204a7800, 0xc420152e00, 0x0, 0x0, 0x0)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:45 +0xc77
github.com/hashicorp/vault/http.request(0xc4204a7800, 0x32dfa80, 0xc420152d20, 0xc4208ad900, 0xc420152e00, 0x0, 0x0)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:210 +0x3c
github.com/hashicorp/vault/http.handleLogical.func1(0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/http/logical.go:122 +0xfb
net/http.HandlerFunc.ServeHTTP(0xc42019c060, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
github.com/hashicorp/vault/http.handleRequestForwarding.func1(0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:160 +0x1d6
net/http.HandlerFunc.ServeHTTP(0xc42019c080, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
net/http.(*ServeMux).ServeHTTP(0xc4203e5770, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2238 +0x130
github.com/hashicorp/vault/http.wrapHelpHandler.func1(0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/http/help.go:22 +0x17f
net/http.HandlerFunc.ServeHTTP(0xc42019c0c0, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
github.com/hashicorp/vault/http.wrapCORSHandler.func1(0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/http/cors.go:37 +0x5a0
net/http.HandlerFunc.ServeHTTP(0xc42019c0e0, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
github.com/hashicorp/vault/http.wrapGenericHandler.func1(0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:87 +0xb1
net/http.HandlerFunc.ServeHTTP(0xc42019c100, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
net/http.serverHandler.ServeHTTP(0xc42064a000, 0x32dfa80, 0xc420152d20, 0xc4208ad900)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2568 +0x92
net/http.(*conn).serve(0xc4209cfea0, 0x32e0c00, 0xc42046dcc0)
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1825 +0x612
created by net/http.(*Server).Serve
	/usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2668 +0x2ce

@bkrodgers
Copy link
Contributor Author

On the crash vs non-crash, I use request forwarding. Is it possible the difference could be that it crashes it if it's handled via request forwarding, but not if it hits the active node directly? I do see that difference now that I look at the full traces more closely.

@jefferai
Copy link
Member

Yes, that's exactly what's happening.

The normal http mechanism recovers from a panic by limiting the scope to that request, but apparently grpc doesn't, so I'll have to do that myself.

@jefferai
Copy link
Member

@bkrodgers any chance you'll be able to test a branch/PR?

@bkrodgers
Copy link
Contributor Author

sure!

@jefferai
Copy link
Member

Hi @bkrodgers ,

I haven't thought of a way to test this in an automated fashion because if it kills the Vault process the tests get unhappy too, but I believe the req-forwarding-recover branch should fix this for you. Can you check?

(Note: the panic will still be logged, but it shouldn't crash the Vault listener anymore)

@bkrodgers
Copy link
Contributor Author

Been busy this morning, should be able to test later today.

@bkrodgers
Copy link
Contributor Author

bkrodgers commented Jun 20, 2017
edited
Loading

Looks like it stops the crash. I get two error messages, depending on whether I hit an active node or a standby node that does request forwarding. Not 100% sure which is which. EDIT -- stream error is from the active node, 500 with the empty message is from the standby.

Error writing data to ssh/sign/<role>: Put https://<url>/v1/ssh/sign/<role>: stream error: stream ID 1; INTERNAL_ERROR

Error writing data to ssh/sign/<role>: Error making API request.

URL: PUT https://<url>/v1/ssh/sign/<role>
Code: 500. Raw Message:

(no message shown)

As you mentioned, I still see the panic as well in my logs, but no crash. Ideally can we suppress the panic from being logged? It'd also be great if we could return a specific error for this scenario to let the user know they passed in a cert instead of an unsigned key, but if that's too much effort to detect, a general error msg instead of an empty 500 or a stream error would be fine.

@bkrodgers
Copy link
Contributor Author

If useful, stack traces:

Forwarding:

Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: 2017/06/20 23:28:46.339133 [ERROR] forwarding: panic serving request for %v: %v
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: %s: /v1/ssh/sign/monuser="unknown cert key type [email protected]" goroutine 1715 [running]:
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*forwardedRequestRPCServer).ForwardRequest.func1.1(0xc4213ae7e0, 0xc4207a3ae0, 0xc42156fa00, 0xc42064d867)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding.go:365 +0xbc
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: panic(0x171ad60, 0xc4210d9190)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/runtime/panic.go:489 +0x2cf
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0xc42064c550, 0xc4215fa000, 0x48d)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:480 +0x124
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Marshal(0xc42064c550, 0xc4210cd4e0, 0xc42064c638, 0xc42064c5a8)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:468 +0x34e
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).bytesForSigning(0xc4201f00b0, 0x26eec80, 0xc421385620, 0x20)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:438 +0x6b
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).SignCert(0xc4201f00b0, 0x26deb40, 0xc42000e240, 0x26e8080, 0xc4210cd44
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:407 +0x104
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*creationBundle).sign(0xc42064c9b0, 0xcaf, 0xd80, 0x26e8080)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:408 +0x2b1
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSignCertificate(0xc42040c880, 0xc4210e36c0, 0xc4210d8660, 0xc4213b8000, 0x7, 0xc4
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:177 +0x10e4
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSign(0xc42040c880, 0xc4210e36c0, 0xc4210d8660, 0x7010103, 0x0, 0xffffffffffffffff
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:98 +0x31b
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).(github.com/hashicorp/vault/builtin/logical/ssh.pathSign)-fm(0xc4210e36c0, 0xc4210d86
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:38 +0x3e
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc420427a00, 0xc4210e36c0, 0xc4210e36c0, 0xc4210b77c4, 0x10)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/logical/framework/backend.go:221 +0x4c8
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc4201bff40, 0xc4210e36c0, 0x0, 0x0, 0x7000000, 0x0, 0x0)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:348 +0x636
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Router).Route(0xc4201bff40, 0xc4210e36c0, 0xc4210e36c0, 0xc420784de0, 0x0)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:240 +0x3a
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc4201f9c00, 0xc4210e36c0, 0x0, 0x0, 0x0, 0x0)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:188 +0xb10
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Core).HandleRequest(0xc4201f9c00, 0xc4210e36c0, 0x0, 0x0, 0x0)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:45 +0xc77
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.request(0xc4201f9c00, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00, 0xc4210e36c0, 0x0, 0x0)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:210 +0x3c
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.handleLogical.func1(0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/logical.go:122 +0xfb
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebd40, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.handleRequestForwarding.func1(0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:169 +0x761
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebd60, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: net/http.(*ServeMux).ServeHTTP(0xc42016b470, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2238 +0x130
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.wrapHelpHandler.func1(0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/help.go:22 +0x17f
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebda0, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.wrapCORSHandler.func1(0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/cors.go:37 +0x5a0
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebdc0, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.wrapGenericHandler.func1(0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:87 +0xb1
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebde0, 0x26ebf00, 0xc4210b78e0, 0xc42156fa00)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*forwardedRequestRPCServer).ForwardRequest.func1()
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding.go:371 +0xab
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*forwardedRequestRPCServer).ForwardRequest(0xc4207a3ae0, 0x7f91dc9ae9f8, 0xc4213ae630, 0xc4205182a0, 0xc4207a
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding.go:373 +0x1b2
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault._RequestForwarding_ForwardRequest_Handler(0x1839320, 0xc4207a3ae0, 0x7f91dc9ae9f8, 0xc4213ae630, 0xc4213506e0,
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_forwarding_service.pb.go:148 +0x28d
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc420642140, 0x26f58e0, 0xc42123d1a0, 0xc42156f900, 0xc4207
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:776 +0xc41
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).handleStream(0xc420642140, 0x26f58e0, 0xc42123d1a0, 0xc42156f900, 0x0)
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:976 +0x15a6
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc4210c8ac0, 0xc420642140, 0x26f58e0, 0xc42123d1a0, 0x
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:546 +0xa9
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: created by github.com/hashicorp/vault/vendor/google.golang.org/grpc.(*Server).serveStreams.func1
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/google.golang.org/grpc/server.go:547 +0xa1
Jun 20 23:28:46 ip-10-183-0-128.ec2.internal bash[31671]: =[unknown!]

HTTP:

Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: 2017/06/20 23:28:45 http2: panic serving 10.183.3.182:42414: unknown cert key type [email protected]
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: goroutine 1698 [running]:
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).runHandler.func1(0xc42000d6b0, 0xc42064dfaf, 0xc421426380)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:2046 +0x190
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: panic(0x171ad60, 0xc4210d1460)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/runtime/panic.go:489 +0x2cf
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Type(0xc42064cad0, 0xc42143af00, 0x48d)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:480 +0x124
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).Marshal(0xc42064cad0, 0xc4210baf00, 0xc42064cbb8, 0xc42064cb28)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:468 +0x34e
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).bytesForSigning(0xc4214c24d0, 0x26eec80, 0xc42122fda0, 0x20)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:438 +0x6b
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh.(*Certificate).SignCert(0xc4214c24d0, 0x26deb40, 0xc42000e240, 0x26e8080, 0xc4210bae8
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/crypto/ssh/certs.go:407 +0x104
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*creationBundle).sign(0xc42064cf30, 0xcaf, 0xd80, 0x26e8080)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:408 +0x2b1
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSignCertificate(0xc42040c880, 0xc4210e3340, 0xc4210d0950, 0xc4212a0240, 0x7, 0xc4
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:177 +0x10e4
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).pathSign(0xc42040c880, 0xc4210e3340, 0xc4210d0950, 0x7010102, 0x0, 0xffffffffffffffff
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:98 +0x31b
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/builtin/logical/ssh.(*backend).(github.com/hashicorp/vault/builtin/logical/ssh.pathSign)-fm(0xc4210e3340, 0xc4210d09
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/builtin/logical/ssh/path_sign.go:38 +0x3e
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/logical/framework.(*Backend).HandleRequest(0xc420427a00, 0xc4210e3340, 0xc4210e3340, 0xc4210ab744, 0x10)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/logical/framework/backend.go:221 +0x4c8
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc4201bff40, 0xc4210e3340, 0x0, 0x0, 0x6000000, 0x0, 0x0)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:348 +0x636
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Router).Route(0xc4201bff40, 0xc4210e3340, 0xc4210e3340, 0xc420784de0, 0x0)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/router.go:240 +0x3a
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc4201f9c00, 0xc4210e3340, 0x0, 0x0, 0x0, 0x0)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:188 +0xb10
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vault.(*Core).HandleRequest(0xc4201f9c00, 0xc4210e3340, 0x0, 0x0, 0x0)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vault/request_handling.go:45 +0xc77
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.request(0xc4201f9c00, 0x26eedc0, 0xc42000d6b0, 0xc421288400, 0xc4210e3340, 0x0, 0x0)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:210 +0x3c
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.handleLogical.func1(0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/logical.go:122 +0xfb
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebd40, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.handleRequestForwarding.func1(0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:169 +0x761
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebd60, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.(*ServeMux).ServeHTTP(0xc42016b470, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2238 +0x130
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.wrapHelpHandler.func1(0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/help.go:22 +0x17f
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebda0, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.wrapCORSHandler.func1(0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/cors.go:37 +0x5a0
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebdc0, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/http.wrapGenericHandler.func1(0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/http/handler.go:87 +0xb1
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.HandlerFunc.ServeHTTP(0xc4201ebde0, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:1942 +0x44
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.serverHandler.ServeHTTP(0xc420169ef0, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:2568 +0x92
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.initNPNRequest.ServeHTTP(0xc4205ffc00, 0xc420169ef0, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/server.go:3088 +0x93
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.(*initNPNRequest).ServeHTTP(0xc4210a9b90, 0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         <autogenerated>:312 +0x74
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: net/http.(Handler).ServeHTTP-fm(0x26eedc0, 0xc42000d6b0, 0xc421288400)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /usr/local/Cellar/go/1.8.3/libexec/src/net/http/h2_bundle.go:4331 +0x4d
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).runHandler(0xc421426380, 0xc42000d6b0, 0xc421288400, 0xc4210ab780)
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:2053 +0x89
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]: created by github.com/hashicorp/vault/vendor/golang.org/x/net/http2.(*serverConn).processHeaders
Jun 20 23:28:45 ip-10-183-0-128.ec2.internal bash[31671]:         /Users/bkrodg/go/src/github.com/hashicorp/vault/vendor/golang.org/x/net/http2/server.go:1787 +0x4ac

@jefferai
Copy link
Member

I realized looking at that there was a formatting error in the log message, I've pushed up a commit to fix that; I think this should also fix having an empty message with the 500.

Ideally can we suppress the panic from being logged? It'd also be great if we could return a specific error for this scenario to let the user know they passed in a cert instead of an unsigned key, but if that's too much effort to detect, a general error msg instead of an empty 500 or a stream error would be fine.

Panics are logged (always) when they occur so that they can be provided to us. Any panic is a bug that should be fixed, but without the stack trace it's hard to sort out what/where the issue is.

@bkrodgers
Copy link
Contributor Author

Panics are logged (always) when they occur so that they can be provided to us. Any panic is a bug that should be fixed, but without the stack trace it's hard to sort out what/where the issue is.

Normally yes, but this specific case will be logged if a user sends in a cert by mistake. I don't think that's something you want people to be filing bugs on (once we've got the crash fixed). Yes, hopefully users won't do that often, but I had more than one user do it as we rolled this out. We could also prevent the panic by adding a check on the input cert before it happens. The panic itself happens within the signing process, so a check before passing it to that function would prevent the panic entirely.

@jefferai
Copy link
Member

As I said, panics are bugs that need to be fixed.

@bkrodgers
Copy link
Contributor Author

Jeff -- sorry if I'm being dense here. You're saying it's still going to log the panic if a user provides this bad input, but also that panics are bugs that need to be fixed. Are you saying that the crypto library needs to fix a bug to handle this invalid input? If so, are you filing that bug? Or are you saying that yes, you'll do something in Vault to prevent the invalid input from getting as far as triggering the panic?

@jefferai
Copy link
Member

@bkrodgers The latter

@jefferai jefferai modified the milestones: 0.7.4, 0.8.0 Jul 24, 2017
@jefferai jefferai mentioned this issue Jul 27, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.8.0
Development

Successfully merging a pull request may close this issue.

Recover from panics during request forwarding hashicorp/vault
2 participants
@jefferai @bkrodgers