Error fetching certificate {Cert-Key}: decryption failed: cipher: message authentication failed

Les · October 23, 2023, 8:41am

I have been attempting to carry out a tidy on a vault cluster with

vault write pki/tidy tidy_cert_store=true tidy_revoked_certs=true

The clean up of certificates has progressed without issues in 2 environments. This has been carried out against the vault leader in all cases. However in our production environment the same command has resulted in an error. When looking at the status of the tidy we get the following response.

vault read pki/tidy-status

Key                                      Value
---                                      -----
cert_store_deleted_count                 44997
cross_revoked_cert_deleted_count         0
current_cert_store_count                 <nil>
current_revoked_cert_count               <nil>
error                                    error fetching certificate "{Cert-Key}": decryption failed: cipher: message authentication failed
internal_backend_uuid                    {UUID}
issuer_safety_buffer                     31536000
message                                  Tidying certificate store: checking entry 294279 of 2231139
missing_issuer_cert_count                0
pause_duration                           0s
revocation_queue_deleted_count           0
revoked_cert_deleted_count               0
safety_buffer                            259200
state                                    Error
tidy_cert_store                          true
tidy_cross_cluster_revoked_certs         false
tidy_expired_issuers                     false
tidy_move_legacy_ca_bundle               false
tidy_revocation_queue                    false
tidy_revoked_cert_issuer_associations    false
tidy_revoked_certs                       true
time_finished                            2023-10-17T10:55:19.520252663Z
time_started                             2023-10-17T10:30:56.371675097Z

I have not been able to work out what action to take to resolve the relevant certificate and am unable to read the problem cert for the same reason as given above.

vault read pki/cert/{Cert-Key}

Error reading pki/cert/{Cert-Key}: Error making API request.

URL: GET https://{Server-Address}:8200/v1/pki/cert/{Cert-Key}
Code: 500. Errors:

* error fetching certificate {Cert-Key}: decryption failed: cipher: message authentication failed

The config.hcl for the server is as follows:

storage "raft" {
  node_id = "{Node-1-ID}"
  path = "/var/vault"
  retry_join {
    leader_api_addr = "https://{node-2-ip}:8200"
    leader_ca_cert_file = "{path-to-cert}"
  }
  retry_join {
    leader_api_addr = "https://{node-3-ip}:8200"
    leader_ca_cert_file = "{path-to-cert}"
  }
}

seal "awskms" {
  kms_key_id = "{Kms-key-id}"
  region     = "eu-west-2"
}

listener "tcp" {
 address = "0.0.0.0:8200"
 tls_disable = 0
 tls_cert_file = "{path-to-cert}"
 tls_key_file = "{path-to-key}"
}

telemetry {
  prometheus_retention_time = "10m"
  disable_hostname = true
}

api_addr = "https://{node-1-ip}:8200"
cluster_addr = "https://{node-1-ip}:8201"
disable_mlock = true

If anyone can advise how to resolve the error fetching certificate {Cert-Key}: decryption failed: cipher: message authentication failed or direct to how to resolve Tidy Errors in general it would be extremely useful.

Vault version being run is 1.13.5.

Topic		Replies	Views
PKI tidy didn't remove revoked certificates Vault	8	2942	April 21, 2022
Unable to tidy revoked TLS certs Vault vault	5	909	January 26, 2021
PKI tidy removes revoked but not expired certificate Vault	0	324	March 23, 2021
HCSEC-2021-09 - Vault’s PKI Engine CRL May Exclude Revoked But Unexpired Certificates After Tidy Security security-vault	0	8469	April 21, 2021
Unable to unseal key unable to retrieve stored keys: failed to decrypt keys from storage: cipher: message authentication failed Vault vault	14	9552	October 9, 2024

Error fetching certificate {Cert-Key}: decryption failed: cipher: message authentication failed

Related topics