Docker TLS issue


I’m setting up Vault in our lab in a docker container. It works a treat without TLS but I cannot leave our lab credentials in the clear. I’ve created a self-signed cert on the server. I’ve altered the local.json config file I’m working from but the container will not come up. I can’t even get any logs from it.

cert common name -
docker volume - /etc/vault:/vault
server cert locations - /etc/vault/config/certs/vault-self-signed-crt.pem, /etc/ssl/certs/vault-self-signed-crt.pem
server key locations - /etc/vault/config/certs/vault-self-signed-key.pem, /etc/ssl/certs/vault-self-signed-key.pem

The local.json file in /etc/vault/config:

“listener”: [{
“tcp”: {
“address”: “”,
“tls_cert_file”: “/vault/config/certs/vault-sandpit-selfsigned-crt.pem”,
“tls_key_file”: “”/vault/config/certs/vault-sandpit-selfsigned-key.pem",
“storage”: {
“file”: {
“path”: “/vault/data”
“max_lease_ttl”: “10h”,
“default_lease_ttl”: “10h”,
“ui”: true

The host file on the server has it’s IP pointing to

So do I have an issue because I’m in a container and vault isn’t able to resolve the IP address?

Thanks Mark

I changed the address to to get the container up. I exported the FQDN and it fails to resolve if I use the private IP of the server which will fail with the cert and get no route. So I need a host entry in the container for the FQDN against the local host I assume?

1 Like

Having the same issue with Vault TLS. @mark1973ryan were you able to find a way out of this? also, how are you terminating TLS in regards to getting HTTPS via something like cloudflare? like, are you using two different certs?

This is how I fixed it.
On my docker-compose I add the following:


then in my vault config.hcl I have this:

listener "tcp" {
   address = ""
   tls_disable = 0
   tls_cert_file = "/vault/certs/"
   tls_key_file =  "/vault/certs/"

the aliases in the docker makes the the fqdn to resolve locally as the container host, so it can be bound by the tcp listener

hope it helps