-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fatal: config cannot be loaded: ciphertext verification failed #2323
Comments
Is there an SSL/TLS certificate involved that might have expired or for some other reason isn't trusted? |
Ah, there isn't. I'm using a plain http service (a service of another namespace in Kubernetes) for minio with restic.
|
The backups that rely on restic in our infra have been failing. Can someone please have a look? |
I’ve had a similar issue in the past . I would recommend checking if you have multiple keys in your repo . You should be able to run ’restic ls keys’ to check or looking at your repo manually . If you do, then you can move the key with the newest creation date and then it should work . I don’t recall which restic version allows you to specify a key but you could try that flag as well |
@kun93 That command also failed with the same reason:
|
@minhdanh I'm at a loss as to why you're getting that error if the files in the repo are still intact. I'd suspect they've been corrupted somehow. You could try running restic on the server where the repository resides, like |
There're two files in this keys directory. Looks like somehow the repo was initialized twice |
So move one of the keys out of that folder (keeping the file in another place), and see if that helps (as per @kun93's suggestion)? :) |
Yes, I tried that already. And could run the commands to some extent:
|
So I tried to rebuild the index:
|
Then run restic check again:
|
Then I run restic prune as suggested:
|
Then
So it looks like no snapshots is usable now. |
I just got the same error, after using Minio's mirroring feature. I think this is an issue of the storage. Since my repo is relatively big (~1tb), mirroring took too much time and apparently it was not so successful (or there was a change on it for some reason while/after the operation). I saw md5 hashes of the repository config file ( Not sure about your setup but please check if the storage is keeping everything as it is. |
Worth mentioning is that people are seeing this type of error now and then, and it usually turns out to be memory or other hardware problems. It's worth investigating that. Do some hardware tests, etc. |
Mhh - maybe we should save I already pointed out about inconsequent handling of the config files, see #2498 and #2505 . If wanted, I can prepare a PR to change the config file name which would be another way to solve #2498 and makes #2505 obsolete. However it would mean a change in the repo format... |
Hmm. I don't think this is needed (good idea but, yeah, changing the format). In my case, root cause turned out to be this, which should have done this correctly. Even a basic rsync of the repository folder would be non-problematic. Anyway I don't want to poison the original issue, just wanted to mention after seeing the same line ☮️ |
After chatting on the mc issue I've linked above, I think you were right.
|
I'm also having this issue on one of our customers devices, except I got it the opposite way to OP. The config is decrypted fine, but it can't decrypt the snapshots and I just get a load of errors like this:
I found when I remove one of the keys (the first one in alphabetical order) then it complains instead about not being able to load the config:
So now I'm thinking I want to fix this so we can access the backups. Perhaps by simply re-encrypting the config file with the newer key and deleted the older one, but I don't think that's gonna be easy without hacking up a small go utility (my go is good by my cryptography is poor). I'm not sure if this is the only customer unit affected, there's probably more. |
Its been a while but I believe Ive had similar issues in the past and I've had good luck doing a combination of the above with the original key plus using the branch below to fix the corrupt config as mentioned https://forum.restic.net/t/unable-to-open-config-file-can-i-restore-it/1648/26 I believe what happens is that the new key got far enough to create a new config and thats why you can't access the snapshots since it's not linked to the original key/config. Not sure if it helps you but figured I'd share just in case so you can dig in |
There's exactly one point in time at which restic writes the config file, and that is when calling I've put together a branch with some less hacky code (and several guardrails) to replace a missing/broken config file. See https://forum.restic.net/t/fatal-config-cannot-be-loaded-ciphertext-verification-failed/3027/2 for a description and the link to the branch. |
restic should check that a newly added / changed key actually works before deleting the old one. That way it's possible to avoid nasty surprises. |
ran into this today too -- created/init repo, then performed a backup
|
Is this reproducible (e.g. with very small backup data)? If yes, can you send us the command to reproduce? |
Closing this issue as there's nothing left to be done here, after #3429 was merged. If some of the problems mixed into this issue still occur, please open a new issue. |
Output of
restic version
0.9.4
How did you run restic exactly?
What backend/server/service did you use to store the repository?
Minio
Expected behavior
restic lists all snapshots
Actual behavior
restic failed with the above error
Steps to reproduce the behavior
I have a cronjob to backup the files using restic. It used to work.
But after some days the job failed with the same error.
When I use the command line to check, all restic commands failed with the same error.
Do you have any idea what may have caused this?
No idea
Do you have an idea how to solve the issue?
No idea
Did restic help you or made you happy in any way?
Yes
The text was updated successfully, but these errors were encountered: