Vault with 3 Consul backends won't unseal

I have Vault version 1.3.2 and Consul 1.7.0 running in a three node cluster. I can see the servers have designated a leader. When I try to unseal the Vaults, they take the first two keys but then fail on the third key.

Unseal failed. invalid key

Hi Tom :wave:

Which servers have designated a leader? Presumably the Consul backend, as Vault won’t be clustered until it is unsealed. Can you share your configurations and logs?

Failing on the third key share is standard behaviour when there’s a problem with your unseal keys (and you’ve used the default key shares and threshold): that is, it doesn’t mean that the first two key shares were valid. But we’ll need more information to help you, beyond that.

Thanks for getting back with me. The problem was that the keys were printed on a piece of paper and I’s, lower case L’s , and ones all look alike. After MUCH trial and error, we finally figured out the combination.

1 Like