Docker TLS issue

mark1973ryan · February 25, 2020, 1:25pm

Hi,

I’m setting up Vault in our lab in a docker container. It works a treat without TLS but I cannot leave our lab credentials in the clear. I’ve created a self-signed cert on the server. I’ve altered the local.json config file I’m working from but the container will not come up. I can’t even get any logs from it.

cert common name - vault.sandpit.corpnet.co.uk
docker volume - /etc/vault:/vault
server cert locations - /etc/vault/config/certs/vault-self-signed-crt.pem, /etc/ssl/certs/vault-self-signed-crt.pem
server key locations - /etc/vault/config/certs/vault-self-signed-key.pem, /etc/ssl/certs/vault-self-signed-key.pem

The local.json file in /etc/vault/config:

{
“listener”: [{
“tcp”: {
“address”: “vault.sandpit.corpnet.co.uk:8200”,
“tls_cert_file”: “/vault/config/certs/vault-sandpit-selfsigned-crt.pem”,
“tls_key_file”: “”/vault/config/certs/vault-sandpit-selfsigned-key.pem",
}
}],
“storage”: {
“file”: {
“path”: “/vault/data”
}
},
“max_lease_ttl”: “10h”,
“default_lease_ttl”: “10h”,
“ui”: true
}

The host file on the server has it’s IP pointing to vault.sandpit.corpnet.co.uk.

So do I have an issue because I’m in a container and vault isn’t able to resolve the IP address?

Thanks Mark

mark1973ryan · February 25, 2020, 3:01pm

I changed the address to 0.0.0.0:8200 to get the container up. I exported the FQDN and it fails to resolve if I use the private IP of the server which will fail with the cert and get no route. So I need a host entry in the container for the FQDN against the local host I assume?

SomniVertix · March 27, 2020, 11:23pm

Having the same issue with Vault TLS. @mark1973ryan were you able to find a way out of this? also, how are you terminating TLS in regards to getting HTTPS via something like cloudflare? like, are you using two different certs?

alex-bluetrain · May 16, 2020, 8:16pm

This is how I fixed it.
On my docker-compose I add the following:

environment:
  - VAULT_ADDR=https://vault.mydomain.com:8200
networks:
  default:
    aliases:
      - vault.mydomain.com

then in my vault config.hcl I have this:

listener "tcp" {
   address = "vault.mydomain.com:8200"
   tls_disable = 0
   tls_cert_file = "/vault/certs/vault.mydomain.com-cert.pem"
   tls_key_file =  "/vault/certs/vault.mydomain.com-priv.pem"
}

the aliases in the docker makes the the fqdn to resolve locally as the container host, so it can be bound by the tcp listener

hope it helps

Topic		Replies	Views
Can't mount TLS certificate into Vault container using only Docker Vault	3	1423	February 8, 2022
Docker run tls vault error Vault	2	277	April 12, 2023
Errors encountered in getting started with vault Vault vault	0	109	March 13, 2024
Errors encountered when executing vault status Vault	2	116	March 19, 2024
Hashicorp Vault : “ Error initializing listener of type tcp: error loading TLS cert ” Where is my mistake? Vault	9	8570	November 15, 2020

Docker TLS issue

Related topics