Fetching TLSAuth key from KV v2 backend fails

[mkozjak]

Hello! First of all, thank you for this fine piece of work!

Everything except fetching of TLS Auth keys works okay for me. Might be I'm missing something.

$ vault kv list secret
Keys
----
ovpn

$ vault kv get secret/ovpn
====== Metadata ======
Key              Value
---              -----
created_time     2019-01-11T22:43:26.927529385Z
deletion_time    n/a
destroyed        false
version          2

=== Data ===
Key    Value
---    -----
key    #
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
6f9db5c020e93a87ceac29c7329ad836
2b9859e077748b4bfbf841a2e605a1d7
..................
-----END OpenVPN Static key V1-----

When running

vault-openvpn --log-level debug --auto-revoke --vault-addr="http://192.168.1.2:8200" \
--vault-token="foo" --pki-role="ovpn-example-com" \
--ovpn-key secret/ovpn --pki-mountpoint="pki" server srv.ovpn.example.com

I get

INFO[0000] Revoked certificate                           cn=srv.ovpn.example.com serial="30:39:45:95:6........:8a"
DEBU[0000] Generated new certificate                     cn=srv.ovpn.example.com serial="23:b1:14........3:df:68:b3"
Error: Could not fetch TLSAuth key: Got no data from backend
Usage:
...

Any ideas why?

[Luzifer]

Just a wild first guess: Is your secret a KV v2 mount? It looks like something changed there...

[mkozjak]

$ vault kv put secret/ovpn [email protected]

Key              Value
---              -----
created_time     2019-01-12T12:58:17.592727145Z
deletion_time    n/a
destroyed        false
version          1

$ vault secrets list -detailed

Path          Plugin       Accessor              Default TTL    Max TTL    Force No Cache    Replication    Seal Wrap    Options           Description
----          ------       --------              -----------    -------    --------------    -----------    ---------    -------           -----------
cubbyhole/    cubbyhole    cubbyhole_929bfe78    n/a            n/a        false             local          false        map[]             per-token private secret storage
identity/     identity     identity_428983a3     system         system     false             replicated     false        map[]             identity store
secret/       kv           kv_4c723ec7           system         system     false             replicated     false        map[version:2]    key/value secret storage
sys/          system       system_60d1aacb       n/a            n/a        false             replicated     false        map[]             system endpoints used for control, policy and debugging

$ vault kv get secret/ovpn

====== Metadata ======
Key              Value
---              -----
created_time     2019-01-12T12:58:17.592727145Z
deletion_time    n/a
destroyed        false
version          1

=== Data ===
Key    Value
---    -----
key    #
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
....
-----END OpenVPN Static key V1-----

Yeah, v2.

vault version
Vault v1.0.1 ('08df121c8b9adcc2b8fd55fc8506c3f9714c7e61')

https://github.com/hashicorp/vault/blob/df18871704fe869e9be45b542a6b1eb2fe46c293/command/kv_test.go

Seems like kv/read/<secret_name> should be called now.

[Luzifer]

I'm sorry this bug waited that long until I finally addressed the issue. Though there is a new version v1.9.0 which has a fix for KV v2 backends. Please have a look at the bottom of the README how to specify the path when using a v2 backend.

As I've only constructed a test-case at my side (I'm not using v2 backends normally) please have a look whether the new version works with your v2 configuration and let me know whether the fix works properly.

[mkozjak]

No hurries/worries, I've switched to easy-rsa. Hopefully someone will pick up on this one!

[Luzifer]

In that case my constructed test must suffice as long as no one reports issues with this again. Thanks for the quick reply!