Error in taking raft storage snapshots

zmingxie · May 25, 2021, 7:48pm

Hi,

I have my Vault cluster setup using the internal raft storage backend.

At the moment, I also set tls_disable = true and let Nginx handle TLS offloading for the service. So the inbound traffic looks like this:

client --> https://vault.example.com  (Nginx) --> http://vault-node1.example.com:8200 (leader)
                                                  http://vault-node2.example.com:8200 (follower)
                                                  http://vault-node3.example.com:8200 (follower)

This has been working fine except I’m hitting the following error if the raft snapshot save command goes to one of the follower nodes:

❯ vault operator raft snapshot save vault-test.snapshot
Error taking the snapshot: redirect would cause protocol downgrade

I’ve enabled debug logging, but I don’t see any additional logs about this error. Any ideas what may be causing this?

Thanks,
Ming

borsik · August 10, 2022, 5:04pm

I’m also interested how to solve this issue. Thanks.

maxb · August 10, 2022, 6:26pm

github.com/hashicorp/vault

`vault operator raft snapshot save` and `restore` fail to handle redirection to the active node

opened 04:27PM - 02 May 22 UTC

maxb

bug storage/raft

Scenario: A 3-node Vault cluster using Raft storage, accessed via a load-balance…d URL which can contact any one of the unsealed nodes. Attempt to use `vault operator raft snapshot save`: If it lands on a standby node, a rather opaque error is produced: ``` Error taking the snapshot: incomplete snapshot, unable to read SHA256SUMS.sealed file ``` Attempt to use `vault operator raft snapshot restore`: If it lands on a standby node, a rather opaque error is produced: ``` Error installing the snapshot: redirect failed: Post "http://172.18.0.11:8200/v1/sys/storage/raft/snapshot": read snapshot.tar.gz: file already closed ```