Docker TLS issue

Hi,

I’m setting up Vault in our lab in a docker container. It works a treat without TLS but I cannot leave our lab credentials in the clear. I’ve created a self-signed cert on the server. I’ve altered the local.json config file I’m working from but the container will not come up. I can’t even get any logs from it.

cert common name - vault.sandpit.corpnet.co.uk
docker volume - /etc/vault:/vault
server cert locations - /etc/vault/config/certs/vault-self-signed-crt.pem, /etc/ssl/certs/vault-self-signed-crt.pem
server key locations - /etc/vault/config/certs/vault-self-signed-key.pem, /etc/ssl/certs/vault-self-signed-key.pem

The local.json file in /etc/vault/config:

{
“listener”: [{
“tcp”: {
“address”: “vault.sandpit.corpnet.co.uk:8200”,
“tls_cert_file”: “/vault/config/certs/vault-sandpit-selfsigned-crt.pem”,
“tls_key_file”: “”/vault/config/certs/vault-sandpit-selfsigned-key.pem",
}
}],
“storage”: {
“file”: {
“path”: “/vault/data”
}
},
“max_lease_ttl”: “10h”,
“default_lease_ttl”: “10h”,
“ui”: true
}

The host file on the server has it’s IP pointing to vault.sandpit.corpnet.co.uk.

So do I have an issue because I’m in a container and vault isn’t able to resolve the IP address?

Thanks Mark

I changed the address to 0.0.0.0:8200 to get the container up. I exported the FQDN and it fails to resolve if I use the private IP of the server which will fail with the cert and get no route. So I need a host entry in the container for the FQDN against the local host I assume?

1 Like

Having the same issue with Vault TLS. @mark1973ryan were you able to find a way out of this? also, how are you terminating TLS in regards to getting HTTPS via something like cloudflare? like, are you using two different certs?

This is how I fixed it.
On my docker-compose I add the following:

environment:
  - VAULT_ADDR=https://vault.mydomain.com:8200
networks:
  default:
    aliases:
      - vault.mydomain.com

then in my vault config.hcl I have this:

listener "tcp" {
   address = "vault.mydomain.com:8200"
   tls_disable = 0
   tls_cert_file = "/vault/certs/vault.mydomain.com-cert.pem"
   tls_key_file =  "/vault/certs/vault.mydomain.com-priv.pem"
}

the aliases in the docker makes the the fqdn to resolve locally as the container host, so it can be bound by the tcp listener

hope it helps