我们的保管库集群遇到了一个奇怪的问题,其中保管库没有进入活动模式并引发一些 TLS 错误,我对正在发生的事情有点茫然。该集群使用 AWS dynamodb 作为后端。
错误如下(此处以调试模式显示):
/usr/local/bin/vault server -config=/etc/vault.d/vault_main.hcl -log-level=debug
WARNING! The following cipher suites defined by 'tls_cipher_suites' are
blacklisted by the HTTP/2 specification:
[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA]
Please see https://tools.ietf.org/html/rfc7540#appendix-A for further information.
==> Vault server configuration:
AWS KMS KeyID: <KMS_ID>
AWS KMS Region: us-east-1
HA Storage: consul
Seal Type: awskms
Api Address: https://vault.service.awseast.consulstage:8200
Cgo: disabled
Cluster Address: https://vault.service.awseast.consulstage:8201
Listener 1: tcp (addr: "172.21.32.10:8200", cluster address: "172.21.32.10:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
Log Level: debug
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: dynamodb
Version: Vault v1.3.3
==> Vault server started! Log data will stream in below:
2021-04-28T16:02:11.995-0400 [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
2021-04-28T16:02:12.109-0400 [DEBUG] config path set: path=vault
2021-04-28T16:02:12.109-0400 [WARN] appending trailing forward slash to path
2021-04-28T16:02:12.109-0400 [DEBUG] config disable_registration set: disable_registration=false
2021-04-28T16:02:12.109-0400 [DEBUG] config service set: service=vault
2021-04-28T16:02:12.109-0400 [DEBUG] config service_tags set: service_tags=
2021-04-28T16:02:12.109-0400 [DEBUG] config service_address set: service_address=<nil>
2021-04-28T16:02:12.109-0400 [DEBUG] config address set: address=127.0.0.1:8500
2021-04-28T16:02:12.109-0400 [DEBUG] storage.cache: creating LRU cache: size=0
2021-04-28T16:02:12.110-0400 [DEBUG] cluster listener addresses synthesized: cluster_addresses=[172.21.32.10:8201]
2021-04-28T16:02:12.147-0400 [INFO] core: stored unseal keys supported, attempting fetch
2021-04-28T16:02:12.177-0400 [DEBUG] core: unseal key supplied
2021-04-28T16:02:12.193-0400 [DEBUG] core: starting cluster listeners
2021-04-28T16:02:12.193-0400 [INFO] core.cluster-listener: starting listener: listener_address=172.21.32.10:8201
2021-04-28T16:02:12.193-0400 [INFO] core.cluster-listener: serving cluster requests: cluster_listen_address=172.21.32.10:8201
2021-04-28T16:02:12.193-0400 [INFO] core: entering standby mode
2021-04-28T16:02:12.196-0400 [INFO] core: vault is unsealed
2021-04-28T16:02:12.196-0400 [INFO] core: unsealed with stored keys: stored_keys_used=1
2021-04-28T16:02:12.433-0400 [DEBUG] core: parsing information for new active node: active_cluster_addr=https://vault.service.awseast.consulstage:8201 active_redirect_addr=https://vault.service.awseast.consulstage:8200
2021-04-28T16:02:12.433-0400 [DEBUG] core: refreshing forwarding connection
2021-04-28T16:02:12.433-0400 [DEBUG] core: clearing forwarding clients
2021-04-28T16:02:12.433-0400 [DEBUG] core: done clearing forwarding clients
2021-04-28T16:02:12.434-0400 [DEBUG] core: done refreshing forwarding connection
2021-04-28T16:02:12.434-0400 [DEBUG] core: creating rpc dialer: host=fw-c9349236-9c5d-5c26-13c1-1a1cce4bd848
2021-04-28T16:02:12.447-0400 [WARN] core.cluster-listener: no TLS config found for ALPN: ALPN=[req_fw_sb-act_v1]
2021-04-28T16:02:12.447-0400 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"
2021-04-28T16:02:12.447-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.447-0400 [ERROR] core: forward request error: error="error during forwarding RPC request"
2021-04-28T16:02:12.447-0400 [DEBUG] core: forwarding: error sending echo request to active node: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.490-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.490-0400 [ERROR] core: forward request error: error="error during forwarding RPC request"
2021-04-28T16:02:12.553-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
2021-04-28T16:02:12.553-0400 [ERROR] core: forward request error: error="error during forwarding RPC request"
2021-04-28T16:02:12.597-0400 [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing remote error: tls: internal error""
我们的配置如下所示:
[root@tf-vault-server-stage-ip-172-21-32-10 tls]# cat /etc/vault.d/vault_main.hcl
cluster_name = "awseast"
max_lease_ttl = "768h"
default_lease_ttl = "768h"
api_addr = "https://vault.service.awseast.consulstage:8200"
#api_addr = "https://172.21.32.10:8200"
disable_mlock = true
ui = true
listener "tcp" {
address = "172.21.32.10:8200"
tls_cert_file = "/etc/vault.d/tls/vault.crt"
tls_key_file = "/etc/vault.d/tls/vault.key"
tls_min_version = "tls12"
tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
tls_prefer_server_cipher_suites = "false"
tls_disable = "false"
}
storage "dynamodb" {
ha_enabled = "true"
region = "us-east-1"
table = "tf-vault-server-stage-vault-dynamodb-table"
}
ha_storage "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
seal "awskms" {
region = "us-east-1"
kms_key_id = "<kms_key_id>"
}
任何帮助将非常感激!谢谢!