Hashicorp Vault : “ Error initializing listener of type tcp: error loading TLS cert ” Where is my mistake?

I try to run Vault with docker-compose on Virtual machine ubuntu 20.04 ( ip : 192.168.56.9 ). Without the https, already works fine, but when I try to put vault in https with self-signed certificat from openssl, it doesn’t works.

Here my configurations :

docker-compose.yml :

version: '3.6'

services:

  vault:
    build:
      context: ./vault
      dockerfile: Dockerfile
    ports:
      - 8200:8200
    volumes:
      - ./vault/config:/vault/config
      - ./vault/policies:/vault/policies
      - ./vault/data:/vault/data
      - ./vault/logs:/vault/logs
      - ./vault/volume_test/:/vault/volume_test
    environment:
      - VAULT_ADDR=http://192.168.56.9:8200
    command: server -config=/vault/config/vault-config.conf
    cap_add:
      - IPC_LOCK

Dockerfile :

# base image
FROM alpine:3.7

# set vault version
ENV VAULT_VERSION 0.10.3

# create a new directory
RUN mkdir /vault

# download dependencies
RUN apk --no-cache add \
      bash \
      ca-certificates \
      wget

# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
    unzip /tmp/vault.zip -d /vault && \
    rm -f /tmp/vault.zip && \
    chmod +x /vault

# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"

# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf

# expose port 8200
EXPOSE 8200

# run vault
ENTRYPOINT ["vault"]

My vault-config.conf :

backend "file" {
  path = "vault/data"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = false
  tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
  tls_key_file = "/home/xxx/Vault-Docker/domain.key"
}

#api_addr = "http://192.168.56.9:8200"

disable_mlock = true

ui = true

How I create my .crt and my .key :

Create a cert.conf file in /home/xxx/Vault-Docker/ :

[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.56.9

And excute in /home/xxx/Vault-Docker/ :

openssl req -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config cert.conf

But when I run :

docker-compose up -d --build

Then :

docker logs vault-docker_vault_1 

The output is :

Error initializing listener of type tcp: error loading TLS cert: open /home/xxx/Vault-Docker/domain.crt: no such file or directory

Someone to tell me where is my error ?

Thanks a lot !

Where do you mount/copy your certificates into the container?

Hello @Wolfsrudel

Thanks for the answer. I didn’t know that I had to copy/mount my certificates into my container… I’m beginner with Vault and docker.

So how do I proceed ? First I create my .key and my .csr and I can put them in a volume such as my " volume_test " ? Then when I run my docker-compose, my container will be set up with my volume “volume_test” with the .key and the .csr on it ?

thanks for the help !

Hello @Wolfsrudel

I try to understand where are my mistakes.

So I try to run Vault with the https like that :

vault.hcl file :

backend "file" {
  path = "/var/lib/vault"
}

api_addr = "https://192.168.56.9:443"

ui = true

disable_mlock = true

listener "tcp" {
  address       = "192.168.56.9:443"
  tls_cert_file = "/home/tim/Vault-Docker/domain.crt"
  tls_key_file  = "/home/tim/Vault-Docker/domain.key"
  tls_disable   = 0
}

Then I run vault server -config vault.hcl and I try to see if the https://192.168.56.9 is enabled, I’ve a message from firefox about the fact that my certificate is not sur because self-signed and I’ve this message :

Vault UI is not available in this binary.
To get Vault UI do one of the following:

    Download an official release
    Run make bin to create your own release binaries.
    Run make dev-ui to create a development binary with the UI. 

Can you explain to me why I have not the ui ?

I will try with docker-compose when I will able to do it with this way !

Thanks a lot !

General question: Is there a reason why you built the image yourself and not the official one from Docker hub? Your problem may then be solved. I’ve seen the error message with the binary before, but first have to see what it was.

EDIT:

Where do you run vault server... ? On your local machine? Your container should do this. Is vault installed on your local machine using homebrew? I am very confused what’s going on.

Try this one:

https://blog.exxeta.com/en/2019/12/20/setup-hashicorp-vault-on-docker/

Starting at “Run vault on docker”.

Hello @Wolfsrudel !

And thanks again for the help !
I didn’t know that there was a official image of vault on the docker hub.

Now I know that so I’ve created a docker-compose.yaml file like that :

version: '3.3'

services:
  vault:
    image: vault:latest
    ports:
      - 8200:8200
    volumes:
      - ./vault/config:/vault/config
      - ./vault/policies:/vault/policies
      - ./vault/data:/vault/data
      - ./vault/logs:/vault/logs
      - ./vault/volume_test/:/vault/volume_test
      - ./vault/certs:/vault/certs
    environment:
      - VAULT_ADDR=https://192.168.56.10:8200
    command :
      - "server"    
    cap_add:
      - IPC_LOCK

I’ve my vault-config.hcl file :

backend "file" {
  path = "/var/lib/vault"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 0
  tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
  tls_key_file  = "/home/xxx/Vault-Docker/domain.key"
}

ui = true
disable_mlock = true
api_addr = "https://192.168.56.10:8200"

If I run the docker-compose build command without the line tls_cert_file and tls_key_file and replacing the https by http in my docker-compose file and my vault.hcl file, all is working correctly.

If I run the docker-compose command with the line tls_cert_file and tls_key_file and with the https in place of http, the logs of my container is :

Error initializing listener of type tcp: error loading TLS cert: open /home/xxx/Vault-Docker/domain.crt: no such file or directory

While when I run this command :

vault server -config vault-config.hcl

With the line tls_cert_file and tls_key_file and with the https in my files ( like shown in the docker-compose.yaml file and vault-conf.hcl in this reply ), all works fine.

I do all my manipulations on a ubuntu 20.04 VM in which I want to create a docker container with vault. I don’t really understand why in the first case (via the docker compose command ) I can’t set up a container with vault in https.

Thanks again for the help you provide at the beginner that I am.

You’ll have to mount/ copy the certs into the container. Your container doesn’t know anything about /home/xxx/Vault-Docker. If you run the command locally it’ll work, because the path is correct and available. In your docker-compose there is a mount /vault/certs. You’ll have to create this directory locally and copy the certs into it. Than your vault-config.hcl should point - in case of the tls-parameters - to this directory.

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 0
  tls_cert_file = "/vault/certs/domain.crt"
  tls_key_file  = "/vault/certs/Vault-Docker/domain.key"
}

If there is still an error, check the permissions of the cert file. They should match a special mode. The directory permissions should be 700, the file permissions on all the files should be 600.

At some point we were all new to these topics. The main thing is not to give up.

It works !

The solution was simple… Thank you for enlightening me about that !

Thanks and have a nice day !

You are welcome! Stay healthy!

Take care of yourself too !