Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to read ecdsa-p256 transit key with audit log enabled #3041

Closed
ngunia opened this issue Jul 20, 2017 · 2 comments
Closed

Unable to read ecdsa-p256 transit key with audit log enabled #3041

ngunia opened this issue Jul 20, 2017 · 2 comments

Comments

@ngunia
Copy link

ngunia commented Jul 20, 2017
edited
Loading

I am trying to use the transit backend to sign/verify some data. To achieve this, I used an ecdsa-p256 in development and it worked great.

In a production environment, running a 2 node Vault cluster, with a 3 node Consul cluster, I am unable to read information about the transit key.

I write the key:

$ vault write -f transit/keys/my_key type=ecdsa-p256
Success! Data written to: transit/keys/my_key

When I attempt to read, I get a 500 error:

$ vault read transit/keys/my_key
Error reading transit/keys/my_key: Error making API request.

URL: GET https://<vault_addr>:8200/v1/transit/keys/my_key
Code: 500. Errors:

* internal error

I investigated the logs of my Vault node, and was able to find this:

Jul 20 15:51:18 <redacted> vault[817]: {"time":"2017-07-20T15:51:18Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"root","policies":["root"],"metadata":null},"request":{"id":"27c227eb-8d2d-6e35-0386-2cc7be751d2f","operation":"read","client_token":"hmac-sha256:635a2d3bde71a2e38830c57f255b69e3d472b4366d647fa5286881b1264108c9","client_token_accessor":"hmac-sha256:1eeb005f640ea14d63b19d60cdd2afb3024a1600485a7a5bb7a91ccf11a36238","path":"transit/keys/my_key","data":null,"remote_address":"readacted","wrap_ttl":0,"headers":{}},"error":""}
Jul 20 15:51:18 <redacted> vault[817]: 2017/07/20 15:51:18.515349 [ERROR] audit: panic during logging: request_path=transit/keys/my_key error="reflect: reflect.Value.Set using unaddressable value"

It seems that there is some issue caused by having the audit log enabled. I have the audit backend configured to write to syslog.

I am still able to sign/verify data, so this is not a huge blocker, I just ran across it in my verification that the key existed. I tested the same thing out with the default key type(aes256-gcm96) and received no such errors. If I can provide any more details, please feel free to ask.
@joelthompson
Copy link
Contributor

Hi @ngunia -- this looks to be a duplicate of #2958 which should be fixed in the next version.

@ngunia
Copy link
Author

ngunia commented Jul 20, 2017

@joelthompson Yes, looks the same to me. Sorry for the dupe, I'll close this one.

@ngunia ngunia closed this as completed Jul 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joelthompson @ngunia