Hi all, i was deploy Vault and my project to 2 servers (A- Vault, B - my project), i wanna call B to A through 9200 port, but always response error : connection timeout, however when i called from local to A always had response data,
ps: my English not good, sorry about that
here is my Vault.hcl
default_lease_ttl = “24h”
disable_mlock = “true”
max_lease_ttl = “43800h”backend “file” {
path = “/home/vault/config/data”
}api_addr = “https://localhost:9200”
ui = “true”plugin_directory = “/home/vault/plugins”
listener “tcp” {
address = “0.0.0.0:9200”
tls_cert_file = “/home/vault/config/vault.crt”
tls_client_ca_file = “/home/vault/config/root.crt”
tls_key_file = “/home/vault/config/vault.key”
}
my entrypoint.sh
#!/bin/bash
CONFIG_DIR=“/home/vault/config”
INIT_SCRIPT=“/home/vault/config/init.sh”
CA_CERT=“$CONFIG_DIR/root.crt”
CA_KEY=“$CONFIG_DIR/root.key”
TLS_KEY=“$CONFIG_DIR/vault.key”
TLS_CERT=“$CONFIG_DIR/vault.crt”
OPENSSL_CONFIG=“$CONFIG_DIR/vault.cnf”
CSR=“$CONFIG_DIR/vault.csr”export VAULT_ADDR=“https://127.0.0.1:9200”
export VAULT_CACERT=“$CA_CERT”function create_config {
cat > “$OPENSSL_CONFIG” << EOF
[req]
default_bits = 2048
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yesSpeify the DN here so we aren’t prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
Extensions for SAN IP and SAN DNS
req_extensions = v3_req
Be sure to update the subject to match your organization.
[req_distinguished_name]
C = US
ST = Maryland
L = x
O =x
CN = localhostAllow client and server auth. You may want to only allow server auth.
Link to SAN names.
[v3_req]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_namesAlternative names are specified as IP.# and DNS.# for IPs and
DNS accordingly.
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = localhost
IP.2 = my ip
DNS.2 = localhost
IP.3 = my ip
DNS.3 = localhost
IP.4 =my ip
DNS.4 = localhost
IP.5 = my ipPreformatted text
DNS.5 = localhost
IP.6 = 0.0.0.0
DNS.6 = localhost
EOF
}function gencerts {
create_config
openssl req
-new
-sha256
-newkey rsa:2048
-days 120
-nodes
-x509
-subj “/C=US/ST=Maryland/L=Immutability/O=Immutability LLC”
-keyout “$CA_KEY”
-out “$CA_CERT”openssl genrsa -out “$TLS_KEY” 2048
openssl req
-new -key “$TLS_KEY”
-out “$CSR”
-config “$OPENSSL_CONFIG”openssl x509
-req
-days 120
-in “$CSR”
-CA “$CA_CERT”
-CAkey “$CA_KEY”
-CAcreateserial
-sha256
-extensions v3_req
-extfile “$OPENSSL_CONFIG”
-out “$TLS_CERT”openssl x509 -in “$TLS_CERT” -noout -text
chown -R nobody:nobody $CONFIG_DIR && chmod -R 777 $CONFIG_DIR
}mkdir -p $CONFIG_DIR
gencertsnohup vault server -log-level=debug -config /home/vault/config/vault.hcl &
VAULT_PID=$!
which bash
sleep 3
if [ -f “$INIT_SCRIPT” ]; then
/bin/bash $INIT_SCRIPT
fiwait $VAULT_PID