Error when installing vault-ethereum plugin

[selimyanat]

Detailed Description

I am trying to test vault-ethereum as a solution to replace a home made app that sign and send transaction to the blockchain. In this context, i have checkout the source code vault-ethereum then built it. However, i am not able to install it in vault. Am getting the following error when i run the command:

vault write sys/plugins/catalog/ethereum-plugin \
   sha_256="${SHASUM256}" \
   command="vault-ethereum --ca-cert=$HOME/etc/vault/file/root.crt --client-cert=$HOME/etc/vault/file/vault.crt --client-key=$HOME/etc/vault/file/vault.key" 

Error writing data to sys/plugins/catalog/ethereum-plugin: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/plugins/catalog/ethereum-plugin
Code: 500. Errors:

* 1 error occurred:
    * rpc error: code = Unknown desc = timeout waiting for connection info

The log file says that the CA is unknown, though i have added and trusted it in keychain

2019-03-21T14:55:01.027+0100 [INFO]  http: TLS handshake error from 127.0.0.1:59317: EOF
2019-03-21T14:55:01.030+0100 [INFO]  http: TLS handshake error from 127.0.0.1:59318: EOF
2019-03-21T14:55:54.459+0100 [INFO]  core: vault is unsealed
2019-03-21T14:55:54.459+0100 [INFO]  core.cluster-listener: starting listener: listener_address=127.0.0.1:8201
2019-03-21T14:55:54.460+0100 [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=127.0.0.1:8201
2019-03-21T14:55:54.460+0100 [INFO]  core: post-unseal setup starting
2019-03-21T14:55:54.460+0100 [INFO]  core: loaded wrapping token key
2019-03-21T14:55:54.461+0100 [INFO]  core: upgrading plugin information: plugins=[]
2019-03-21T14:55:54.461+0100 [INFO]  core: successfully setup plugin catalog: plugin-directory=/Users/selim/etc/vault/file/plugins
2019-03-21T14:55:54.461+0100 [INFO]  core: successfully mounted backend: type=system path=sys/
2019-03-21T14:55:54.461+0100 [INFO]  core: successfully mounted backend: type=identity path=identity/
2019-03-21T14:55:54.462+0100 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2019-03-21T14:55:54.463+0100 [INFO]  core: successfully enabled credential backend: type=token path=token/
2019-03-21T14:55:54.536+0100 [WARN]  auth.example-auth-plugin.auth_example-auth-plugin_c2d56764.example-auth-plugin: error closing client during Kill: metadata=true err="rpc error: code = Canceled desc = grpc: the client connection is closing"
2019-03-21T14:55:54.537+0100 [INFO]  core: successfully enabled credential backend: type=example-auth-plugin path=example/
2019-03-21T14:55:54.537+0100 [INFO]  rollback: starting rollback manager
2019-03-21T14:55:54.537+0100 [INFO]  core: restoring leases
2019-03-21T14:55:54.538+0100 [INFO]  expiration: lease restore complete
2019-03-21T14:55:54.538+0100 [INFO]  identity: entities restored
2019-03-21T14:55:54.538+0100 [INFO]  identity: groups restored
2019-03-21T14:55:54.538+0100 [INFO]  core: post-unseal setup complete
2019-03-21T14:56:20.283+0100 [INFO]  http: TLS handshake error from 127.0.0.1:59324: remote error: tls: unknown certificate authority
2019-03-21T14:56:32.541+0100 [WARN]  received plugin exited before we could connect attempting as db plugin, attempting as auth/secret plugin
2019-03-21T14:56:54.665+0100 [INFO]  expiration: revoked lease: lease_id=sys/wrapping/wrap/h171b892f8ff7e2dd5554da672b16eb89bb4d9670144204d9690179f83a2d62ab
2019-03-21T15:04:27.634+0100 [WARN]  received plugin exited before we could connect attempting as db plugin, attempting as auth/secret plugin

I have used the materials in vault-ethereum/helper/install_vault.sh to generate the certifcates.

The request traced in the audit log down below

{
  "time": "2019-03-21T17:13:12.269035Z",
  "type": "request",
  "auth": {
    "client_token": "hmac-sha256:e6d899de896cf18f232bae0f4d1c96495296c89536e58cd7aa28c80359ec8ae3",
    "accessor": "hmac-sha256:eaebdc29a3400595b1e77cc667545c1c80c6d0ab4c09181d73941fc5a0ce4960",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "metadata": null,
    "entity_id": "",
    "token_type": "service"
  },
  "request": {
    "id": "010a5627-32b1-2ddf-3c8a-392c2b09232d",
    "operation": "update",
    "client_token": "hmac-sha256:e6d899de896cf18f232bae0f4d1c96495296c89536e58cd7aa28c80359ec8ae3",
    "client_token_accessor": "hmac-sha256:eaebdc29a3400595b1e77cc667545c1c80c6d0ab4c09181d73941fc5a0ce4960",
    "namespace": {
      "id": "root",
      "path": ""
    },
    "path": "sys/plugins/catalog/ethereum-plugin",
    "data": {
      "command": "hmac-sha256:d8e3a02e349f030613315e9c49d2030ff1c6a44c064acc78b67a9fa66807b975",
      "sha_256": "hmac-sha256:62999780515d3a938c2b8a0d57eec9ef6588b859c7153b9dc09bb1c2b5355af7"
    },
    "policy_override": false,
    "remote_address": "127.0.0.1",
    "wrap_ttl": 0,
    "headers": {

    }
  },
  "error": ""
}{
  "time": "2019-03-21T17:13:17.458343Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:e6d899de896cf18f232bae0f4d1c96495296c89536e58cd7aa28c80359ec8ae3",
    "accessor": "hmac-sha256:eaebdc29a3400595b1e77cc667545c1c80c6d0ab4c09181d73941fc5a0ce4960",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "metadata": null,
    "entity_id": "",
    "token_type": "service"
  },
  "request": {
    "id": "010a5627-32b1-2ddf-3c8a-392c2b09232d",
    "operation": "update",
    "client_token": "hmac-sha256:e6d899de896cf18f232bae0f4d1c96495296c89536e58cd7aa28c80359ec8ae3",
    "client_token_accessor": "hmac-sha256:eaebdc29a3400595b1e77cc667545c1c80c6d0ab4c09181d73941fc5a0ce4960",
    "namespace": {
      "id": "root",
      "path": ""
    },
    "path": "sys/plugins/catalog/ethereum-plugin",
    "data": {
      "command": "hmac-sha256:d8e3a02e349f030613315e9c49d2030ff1c6a44c064acc78b67a9fa66807b975",
      "sha_256": "hmac-sha256:62999780515d3a938c2b8a0d57eec9ef6588b859c7153b9dc09bb1c2b5355af7"
    },
    "policy_override": false,
    "remote_address": "127.0.0.1",
    "wrap_ttl": 0,
    "headers": {

    }
  },
  "response": {
    "headers": null
  },
  "error": "1 error occurred:\n\t* rpc error: code = Unknown desc = timeout waiting for connection info\n\n"
}

Your Environment

MacOS Mojave Vault 1.1.0 The vault config file:

"default_lease_ttl" = "24h"
"disable_mlock" = "true"
"max_lease_ttl" = "24h"
"ui" = "true"

"backend" "file" {
  "path" = "/Users/selim/var/lib/vault/file/data"
}

"api_addr" = "https://localhost:8200"

listener "tcp" {
 "address"     = "127.0.0.1:8200"
 "tls_cert_file" = "/Users/selim/etc/vault/file/vault.crt"
 "tls_client_ca_file" = "/Users/selim/etc/vault/file/root.crt"
 "tls_key_file" = "/Users/selim/etc/vault/file/vault.key"
}

"plugin_directory" = "/Users/selim/etc/vault/file/plugins"

The env variables : env | grep VAULT

VAULT_HOME=/Users/selim/opt/vault
VAULT_ADDR=https://127.0.0.1:8200
VAULT_CACERT=/Users/selim/etc/vault/file/root.crt

[cypherhat]

I haven't tested with the latest release of Vault yet. I will this weekend. Possibly, I will have to re-release the plugin based on changes to Vault.

My suggestion is to use a version of Vault < 1.1.0. I will let you know my experience with 1.1.0 later.

[selimyanat]

all right thank you, i will let you know about my progress as well.

[selimyanat]

Hello there, I have downgraded Vault to the version 0.11.3 and i managed to go further in the installation but i could not enable the plugin. Running the command down below vault secrets enable -path=ethereum -description="Immutability's Ethereum Wallet" -plugin-name=ethereum-plugin plugin

produces the following log

2019-03-22T15:33:10.250+0100 [DEBUG] secrets.plugin.plugin_d024ecf4.ethereum-plugin: starting plugin: metadata=true path=/Users/selim/etc/vault/file/plugins/vault-ethereum args="[/Users/selim/etc/vault/file/plugins/vault-ethereum --tls-skip-verify --ca-cert=/Users/selim/etc/vault/file/root.crt --client-cert=/Users/selim/etc/vault/file/vault.crt \
   --client-key=/Users/selim/etc/vault/file/vault.key]"
2019-03-22T15:33:10.253+0100 [DEBUG] secrets.plugin.plugin_d024ecf4.ethereum-plugin: waiting for RPC address: metadata=true path=/Users/selim/etc/vault/file/plugins/vault-ethereum
2019-03-22T15:33:10.285+0100 [DEBUG] secrets.plugin.plugin_d024ecf4.ethereum-plugin.vault-ethereum: plugin address: metadata=true address=/var/folders/p0/kyz821fx23dfh2wq6wgk67_w0000gn/T/plugin722266914 network=unix timestamp=2019-03-22T15:33:10.285+0100
2019-03-22T15:33:10.285+0100 [TRACE] secrets.plugin.plugin_d024ecf4.ethereum-plugin: setup: transport=gRPC status=started
2019-03-22T15:33:15.290+0100 [TRACE] secrets.plugin.plugin_d024ecf4.ethereum-plugin: setup: transport=gRPC status=finished err="rpc error: code = Unknown desc = timeout waiting for connection info" took=5.005082611s
2019-03-22T15:33:15.290+0100 [ERROR] secrets.system.system_a10c9e43: mount failed: path=ethereum-plugin/ error="rpc error: code = Unknown desc = timeout waiting for connection info"

The audit log produces:

{
  "time": "2019-03-22T14:33:15.291436Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:c3a13acb2a66d323030857c0d846a06fc62b540c310f923cb981de0aba5a18e7",
    "accessor": "hmac-sha256:82721cb10bdb40d1b7773adcd53d0a12bfaf738df2e53d8396a8b50b2129ba25",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "metadata": null,
    "entity_id": ""
  },
  "request": {
    "id": "2d9b217f-de92-9c47-0fcc-a7d909c8e724",
    "operation": "update",
    "client_token": "hmac-sha256:c3a13acb2a66d323030857c0d846a06fc62b540c310f923cb981de0aba5a18e7",
    "client_token_accessor": "hmac-sha256:82721cb10bdb40d1b7773adcd53d0a12bfaf738df2e53d8396a8b50b2129ba25",
    "namespace": {
      "id": "root",
      "path": ""
    },
    "path": "sys/mounts/ethereum-plugin",
    "data": {
      "plugin_name": "hmac-sha256:d56d111ae02d61148b2da5b2615581272cfd93aa035e96558d9b62ada0c196ca",
      "type": "hmac-sha256:842f9fd3eebbcca077043da0c637575dcbd4f45c400ccad531f58bd487ba2c75"
    },
    "policy_override": false,
    "remote_address": "127.0.0.1",
    "wrap_ttl": 0,
    "headers": {

    }
  },
  "response": {
    "data": {
      "error": "hmac-sha256:5af5367a3b685ce3e4e29d36e86621f25b497d79b2343c4983793c672aaf443a"
    }
  },
  "error": "1 error occurred:\n\n* invalid request"
}

You can see that the messages in the logs are not the same, one is arguing that the request is invalid whereas the other is complaining about a timeout connection. Note that am using for my tests the root token.

Let me know if you need more clarification.

Thank you

[cypherhat]

I tested this afternoon:

OS:Mojave 10.14.3 Golang: go1.12 darwin/amd64 Vault: Vault v1.1.0 ('36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd')

I built the plugin after I pulled the latest vault and go-ethereum code.

$ vault write sys/plugins/catalog/ethereum-plugin \
        sha_256="$(shasum -a 256 "$HOME/etc/vault.d/vault_plugins/vault-ethereum" | cut -d' ' -f1)" \
        command="vault-ethereum --ca-cert=$HOME/etc/vault.d/root.crt --client-cert=$HOME/etc/vault.d/vault.crt --client-key=$HOME/etc/vault.d/vault.key"

$ vault secrets enable -path=ethereum/prod -description="Immutability's Ethereum Wallet - PROD" -plugin-name=ethereum-plugin plugin

$ vault write ethereum/prod/config rpc_url="https://mainnet.infura.io" chain_id="1" api_key=$MY_API_KEY

Everything worked.

$ vault write ethereum/prod/convert unit_from=eth amount=1 unit_to=usd
Key            Value
---            -----
amount_from    1
amount_to      137.737830017
unit_from      ether
unit_to        usd

[cypherhat]

I will re-release the binary today.

[selimyanat]

Hello there,

I have updated the source and give another try, unfortunately i always have the same error described in my original message. Am not a vault expert but it s like vault is not able to communicate with the plugin ?? is there an issue with the certificate generation ? or am i missing something ? Note that the warning message down below appears whenever invoking the command to write the plugin in vault:

received plugin exited before we could connect attempting as db plugin, attempting as auth/secret plugin

[selimyanat]

So it turned out that the command to register a plugin in vault > 1.0 should include the plugin type

vault write sys/plugins/catalog/secret/ethereum-plugin \
command="vault-ethereum --ca-cert=/Users/selim/etc/vault/file/root.crt --client-cert=/Users/selim/etc/vault/file/vault.crt \
   --client-key=/Users/selim/etc/vault/file/vault.key" sha_256=9c60deec1d20264d69e88bd6e42dcc75a323fee9bd699fdc70ffe93d731f3032

Success! Data written to: sys/plugins/catalog/secret/ethereum-plugin

However, the command to enable the plugin is not working it gives the a 400 http code

vault secrets enable -path=ethereum-api -description="Immutability's Ethereum Wallet" ethereum-plugin
Error enabling: Error making API request.

URL: POST https://localhost:8200/v1/sys/mounts/ethereum-api
Code: 400. Errors:

* rpc error: code = Unknown desc = timeout waiting for connection info

The logs

2019-03-25T19:53:32.046+0100 [TRACE] secrets.ethereum-plugin.ethereum-plugin_58936b78.ethereum-plugin: setup: transport=gRPC status=started
2019-03-25T19:53:37.048+0100 [TRACE] secrets.ethereum-plugin.ethereum-plugin_58936b78.ethereum-plugin: setup: transport=gRPC status=finished err="rpc error: code = Unknown desc = timeout waiting for connection info" took=5.001443042s
2019-03-25T19:53:37.048+0100 [ERROR] secrets.system.system_4ba6fc24: mount failed: path=ethereum-api/ error="rpc error: code = Unknown desc = timeout waiting for connection info"

The audit log

{
  "time": "2019-03-25T18:53:37.049039Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:e6d899de896cf18f232bae0f4d1c96495296c89536e58cd7aa28c80359ec8ae3",
    "accessor": "hmac-sha256:eaebdc29a3400595b1e77cc667545c1c80c6d0ab4c09181d73941fc5a0ce4960",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "metadata": null,
    "entity_id": "",
    "token_type": "service"
  },
  "request": {
    "id": "59f69044-cc0f-5b3f-2c4d-d12f90985e2c",
    "operation": "update",
    "client_token": "hmac-sha256:e6d899de896cf18f232bae0f4d1c96495296c89536e58cd7aa28c80359ec8ae3",
    "client_token_accessor": "hmac-sha256:eaebdc29a3400595b1e77cc667545c1c80c6d0ab4c09181d73941fc5a0ce4960",
    "namespace": {
      "id": "root",
      "path": ""
    },
    "path": "sys/mounts/ethereum-api",
    "data": {
      "config": {
        "default_lease_ttl": "hmac-sha256:8955ad6bac76f49f628889c71625b44a2ab3823be867320ff1007d2cc2bb6d61",
        "force_no_cache": false,
        "max_lease_ttl": "hmac-sha256:8955ad6bac76f49f628889c71625b44a2ab3823be867320ff1007d2cc2bb6d61",
        "options": null
      },
      "description": "hmac-sha256:5d0d9bc126695aad21be6d2574942684f1d67db7a27aa581c6577725dd44c6b8",
      "local": false,
      "options": null,
      "seal_wrap": false,
      "type": "hmac-sha256:c906fe92c4ced2164320c0707ead2a5c73f29f4e3c98e1a31762ee44feb5d86d"
    },
    "policy_override": false,
    "remote_address": "127.0.0.1",
    "wrap_ttl": 0,
    "headers": {

    }
  },
  "response": {
    "data": {
      "error": "hmac-sha256:fbc5664a6bdcf4a463839d2dd6c6aae54d4dd0b0b01c86a555e9c73f75998bae"
    },
    "headers": null
  },
  "error": "1 error occurred:\n\t* invalid request\n\n"
}

[selimyanat]

Update on the issue: I have managed to install and enable the plugin through the following command:

vault write sys/plugins/catalog/secret/ethereum-plugin \
command="vault-ethereum --ca-cert=/Users/selim/etc/vault/file/root.crt --client-cert=/Users/selim/etc/vault/file/vault.crt \
   --client-key=/Users/selim/etc/vault/file/vault.key" sha_256="${SHASUM256}"
vault secrets enable ethereum-plugin

Success! Enabled the ethereum-plugin secrets engine at: ethereum-plugin/

In order to enable the plugin with Vault 1.1.0 you need to update the go-plugin dependency to the latest version to overcome a bug introduced in the previous versions.

Once i have everything up and running i will issue a PR.

[cypherhat]

Fixed: https://github.com/immutability-io/vault-ethereum/releases/tag/v0.2.8