search

Venafi / vault-pki-monitor-venafi

Venafi PKI Monitoring Secrets Engine for HashiCorp Vault that enforces security policy and provides certificate visiblity to the enterprise.
Mozilla Public License 2.0
19 stars 9 forks source link

Unrecognized remote plugin message: plugin is either invalid or simply needs to be recompiled #80

Closed faisalrazzak closed 1 year ago

faisalrazzak commented 3 years ago

PROBLEM SUMMARY

I am using Enterprise Vault 1.8 on a Ubuntu 20 system and trying to deploy venafi-pki-monitor plugin. However, I keep getting the following error message for **vault path-help** command: 

`Error retrieving help: Error making API request.

URL: GET https://HVE1.lab.securafi.net:8200/v1/npkim?help=1
Code: 500. Errors:

* 1 error occurred:
        * Unrecognized remote plugin message:

This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.`

STEPS TO REPRODUCE

  1. Downloaded the latest version of plugin and registered it with vault.
  2. Registration is successful.
  3. Enable the secret engine path
  4. Run the vault path-help <pki-engine-path>

EXPECTED RESULTS

The command should show help for the path.

ACTUAL RESULTS

`Error retrieving help: Error making API request.

URL: GET https://HVE1.lab.securafi.net:8200/v1/npkim?help=1
Code: 500. Errors:

* 1 error occurred:
        * Unrecognized remote plugin message:

This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.`

ENVIRONMENT DETAILS

  1. Ubuntu 20 (Linux HVE1.lab.securafi.net 5.4.0-42-generic x86_64 x86_64 x86_64 GNU/Linux)
  2. Enterprise Vault 1.8.2 (Vault v1.8.2+ent (bf22e1eb262e59f08bb8a1374dc726ab93830178))
  3. venafi-pki-monitor plugin

COMMENTS/WORKAROUNDS

This error is not limited to these versions. I have observed this behavior with other Vault/Plugin versions as well. All steps outlined in Vault's plugin documentation were also followed.

tr1ck3r commented 3 years ago

@faisalrazzak we've found the most common cause of this error has been a mismatch between the x86/x64 architecture of the vault binary and that of the vault-pki-monitor binary. Can you please confirm you are using the Linux amd64 version of Vault Enterprise v1.8.2 with the vault-pki-monitor binary that has the following SHA256SUM?

977980444b0509e425877f484f234c71de4379781c7cdfc38bc487702a5e714d

I was able to get that combination of binaries to work fine my Ubuntu test system.

faisalrazzak commented 3 years ago

@tr1ck3r I was able to resolve the issue for my environment. Everytime, I had used the same version of plugin with checksum 977980444b0509e425877f484f234c71de4379781c7cdfc38bc487702a5e714d.

This issue does manifest from time to time in different environments. It would be nice to ask HashiCorp to identify all reasons when vault throws: Unrecognized remote plugin message: plugin is either invalid or simply needs to be recompiled.

tr1ck3r commented 3 years ago

Great to hear @faisalrazzak Did you see the extra step if mlock is enabled that is documented here? Did you execute the setcap command or have disable_mlock set to true for your Vault (the latter is not recommended for production)?

I believe this is the code responsible for generating that error: https://github.com/hashicorp/go-plugin/blob/d555eeb4b4a65f16bdfd9fb2edc74b7ebd1f7744/client.go#L688-L699

luispresuelVenafi commented 1 year ago

I'm closing this issue as it seems it was originated from user's environment and an error related to the plugin itself.