Cannot unseal after first installation using Keys

Vault
1

Hello,

i’m currently testing out the vault and I currently stuck at the beginning, wondering if it might be a bug.
I am running vault as an executable service on a RHEL machine. I created Self Signed TLS certs, started service and accessed the Webui via Loadbalancer with 443.
Everything worked so far. I generated keys and root token and after that, when I have to unseal using 3 different keys, nothing happens.
When I reach (2/3) passed keys and paste in the 3rd key, nothing happens and the counter resets to 0. What am I missing?

My config:

 $ cat config.hcl
storage "raft" {
  path    = "/opt/vault/data/"
  node_id = "vault01"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 0
  tls_cert_file   = "/opt/vault/cert/cert.pem"
  tls_key_file    = "/opt/vault/cert/key.pem"
}

api_addr = "http://0.0.0.0:8200"
cluster_addr = "https://0.0.0.0:8201"
disable_mlock = true
ui = true
2

The keys (or the copy-n-paste) process are incorrect. There is no validation of the shards during entry. Only after all the shards are present does Vault validate the key. If it’s resetting back to 0 without unsealing then the shards did not add up to a valid key.

Check for a space at the end (or a cartridge return character) where it isn’t visible but is entered into the buffer, could cause this.

3

Very strange. There is no typo. I also used the “copy to clipboard” button that was given in the UI. I thought this might copy the shard in its correct format.

4

I’ve seen it first hand. Two different times, two different people copy-n-pasting the same keys from the same page and one worked and one didn’t.

5

Should they all have the same length? I see 2 shards are longer than the rest. I made 5

6

AFAIK they should all be the same bit length.

7

Something is not right. I removed the data storage to begin re-initiate. Created a new raft, generated 5 shards and 2 thresholds. I checked copy&paste twice. They all are the same length. Now I have to provide 2 shards, but it still wont unseal…

8

I now made the whole init process in the terminal and I think I found my problem:
[vault@vault01 vault]$ vault operator unseal
Unseal Key (will be hidden):
Error unsealing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/unseal
Code: 500. Errors:

  • cannot use unspecified IP with raft storage: 0.0.0.0:8201
    [vault@vault01 vault]$

edit:
changed cluster adress to 127.0.0.1, since it’s a single node setup