vault-secrets-gen icon indicating copy to clipboard operation
vault-secrets-gen copied to clipboard

Error 500 on Azure AKS

Open valeriocapponi opened this issue 2 years ago • 2 comments

Hello,

I have vault 1.11.2 running on a Kubernetes cluster in azure. I have successfully deployed and registered the plugin. However when I try to use it I have this error:

Error writing data to gen/password: Error making API request.

URL: PUT https://(the public url):8200/v1/gen/password
Code: 500. Errors:

* 1 error occurred:
        * internal error

And In the logs on the active node I can see:

2022-08-18T15:54:28.206Z [ERROR] secrets.secrets-gen.secrets-gen_fed2857e.secrets-gen.vault-secrets-gen: plugin tls init: error="error during token unwrap request: Put \"https://10.*.*.105:8200/v1/sys/wrapping/unwrap\": x509: certificate is valid for 127.0.0.1, (the public url), not 10.*.*.105" timestamp=2022-08-18T15:54:28.206Z
2022-08-18T15:54:28.207Z [ERROR] rollback: error rolling back: path=gen/
  error=
  | Unrecognized remote plugin message: 
  | 
  | This usually means that the plugin is either invalid or simply
  | needs to be recompiled to support the latest protocol.
  
2022-08-18T15:54:28.207Z [INFO]  secrets.secrets-gen.secrets-gen_fed2857e.secrets-gen: plugin process exited: path=/usr/local/libexec/vault/vault-secrets-gen pid=28581

It basically looks like for the unwrap is using the internal POD ip address instead of the public one.

valeriocapponi avatar Aug 18 '22 16:08 valeriocapponi

@valeriocapponi you are correct. i just hit this issue myself. breaking on the IP as the IP isn't a SAN.

jessequinn avatar Sep 27 '22 15:09 jessequinn

@valeriocapponi simple fix. you need to update your api_addr to point to what the certificates are accepting. my case was a domain yours looks like your certs were for 127.0.0.1 localhost.

jessequinn avatar Sep 27 '22 16:09 jessequinn