Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault startup fails when tls enabled towards consul backend in case of IPv6 consul address. #3267

Closed
bharath-b23 opened this issue Aug 31, 2017 · 1 comment

Comments

@bharath-b23
Copy link
Contributor

bharath-b23 commented Aug 31, 2017

Environment:
Vault v0.7.3 ('5758f3b00bcd2b4bf08d2ddf12eed7831721144b+CHANGES')
Red Hat Enterprise Linux Server release 7.3 (Maipo)

Vault Config File:
backend "consul" {
address = "[]:8500"
path = "vaultdata/"
scheme = "https"
service = "vault"
tls_ca_file = "/tmp/ca.crt"
tls_cert_file = "/tmp/vault.crt"
tls_key_file = "/tmp/vault.pem"
}

listener "tcp" {
address = "[]:8200"
tls_disable = 0
tls_cert_file = "/tmp/vault.crt"
tls_key_file = "/tmp/vault.pem"
tls_min_version = "tls12"
}

disable_mlock = false
default_lease_ttl = 0
max_lease_ttl = 0

Startup Log Output:
Error detecting redirect address: Get https://[2a00:8123:a123:1190:0:1234:0:3954]:8500/v1/agent/self: x509: certificate is valid for 2a00:8123:a123:1190:0:1234:0:3954, not [2a00
Error initializing core: missing redirect address

Expected Behavior:
Vault should have come up.

Actual Behavior:
vault fails to come up.

Steps to Reproduce:
Using above mentioned hcl file and giving a proper IPv6 address, issue can be re-produced

Important Factoids:

References:

When we analysed the issue, we are observing that the ServerName set in Transport.TLSClientConfig, the IPv6 address parsing logic is resulting in setting wrong IP address.

FileName : github.com/hashicorp/vault/physical/consul.go

func setupTLSConfig(conf map[string]string) (*tls.Config, error) { serverName := strings.Split(conf["address"], ":") ....... tlsClientConfig := &tls.Config{ MinVersion: tlsMinVersion, InsecureSkipVerify: insecureSkipVerify, ServerName: serverName[0], }
When the above code is analysed, when parsing IPv6 address using separator ":", the IPv6 is getting splitted into multiple parts and only the first element in the slice([2a00) serverName is being assigned.

We made below changes in the same function to get it working.
func setupTLSConfig(conf map[string]string) (*tls.Config, error) { idx := strings.LastIndex(conf["address"], ":") serverName := (conf["address"])[0:idx] .................... tlsClientConfig := &tls.Config{ MinVersion: tlsMinVersion, InsecureSkipVerify: insecureSkipVerify, ServerName: serverName, }

Above change is working for us and seems to be working fine.
If above change seems fine, please me know if this change can be up-streamed and changes be made available.

Regards,
Bharath B

@jefferai
Copy link
Member

Patches need to be submitted via PR. If you want us to consider a patch please open a PR instead. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants