Vault 1.0.0 will not start without seal configuration

[jdavisp3]

Describe the bug
When attempting to upgrade from 0.10.4 to 1.0.0 in a configuration that has always used manual unseal Vault will not start in server mode.

More details are in this thread, including the error message in the log file:
https://groups.google.com/d/msgid/vault-tool/42B9735A-9B0D-443E-896E-050AE4741C9A%40ttys0.net?utm_medium=email&utm_source=footer

To Reproduce
Steps to reproduce the behavior:

1. Run vault server -config...
2. See error

Expected behavior
I expected Vault to start up and let me unseal it like all previous upgrades.

Environment:

• Vault Server Version (retrieve with vault status): 0.10.4 -> 1.0.0
• Vault CLI Version (retrieve with vault version): Same
• Server Operating System/Architecture: Ubuntu on AWS EC2

Vault server configuration file(s):

{"backend":{"consul":{"address":"127.0.0.1:8500","path":"vault-dev-2"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_cert_file":"***","tls_key_file":"***"}}, "ui": true}

[jefferai]

What env vars do you have set? I don't know what might be causing this be but we've had no other reports.

[jdavisp3]

This is the environment of the server:

USER=vault
UPSTART_INSTANCE=
GROUP=vault
PID_FILE=/var/run/vault.pid
UPSTART_JOB=vault
VAULT=/usr/local/bin/vault
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
CONFIG=/etc/vault/config.json
LOG_FILE=/var/log/vault.log
PWD=/
GOMAXPROCS=1

[mjrlee]

Did you try migrating at any point? This is the message we got on our standby nodes while we were migrating.

[jdavisp3]

Did you try migrating at any point? This is the message we got on our standby nodes while we were migrating.

I don't think so? I've never tried to use the auto-unsealing mechanism.

[briankassouf]

@jdavisp3 I wasn't able to reproduce using the same config file, have you ever ran vault enterprise?

Also, could you run the following command and paste the data here?

consul kv get vault-dev-2/core/seal-config

[jdavisp3]

@briankassouf I've never run the enterprise version. We've been using Vault since a fairly early release.

{"secret_shares":1,"pgp_keys":null,"secret_threshold":1,"nonce":"...","backup":false}

[jdavisp3]

Thanks for the fix! Is there a way I could upgrade to 1.0.0 now or should I wait for 1.0.1?

[briankassouf]

1.0.1 will be out pretty soon, but a current work around would be to manually edit the JSON in consul and add "type":"shamir", as an item in vault-dev-2/core/seal-config

[jdavisp3]

Gotcha, thanks. I'll just wait for 1.0.1.