Issue with PKI engine when running vault with postgresql as backend

adityabyreddy · December 3, 2019, 3:52pm

Hi,

I’m running vault a replicas mode with postgresql as backend on Kubernetes. Vault initilization and unsealing are taken care through a Kubernetes job. When i’m trying to populate/bootstrap some changes on vault, i’m facing “no handler for route” errors at various phases.

Bootstrapping steps ,

vault login -no-store $VAULT_TOKEN

vault secrets enable pki

vault secrets tune -max-lease-ttl=87600h pki

vault write pki/root/generate/internal common_name=vault ttl=87600h private_key_format=“pkcs8”

vault write pki/config/urls issuing_certificates=“https://vault:8200/v1/pki/ca” crl_distribution_points=“https://vault:8200/v1/pki/crl”

vault write pki/roles/client allow_any_name=“true” client_flag=“true” max_ttl=“87600h” server_flag=“false”

vault write pki/roles/server allow_any_name=“true” allowed_domains=“cluster.local” allow_subdomains=“true” client_flag=“true” max_ttl=“87600h” enforce_hostnames=“false” server_flag=“true”

Error Details ,

Enabling pki engine at ‘pki’ path… Success! Enabled the pki secrets engine at: pki/ Tuning pki secret engine… Success! Tuned the secrets engine at: pki/ Generating self-signed root CA certificate Error writing data to pki/root/generate/internal: Error making API request. URL: PUT https://vault:8200/v1/pki/root/generate/internal Code: 404. Errors: * no handler for route ‘pki/root/generate/internal’

Vault version : 1.3.0 (Docker image)

Vault server configuration :

config.json

{“listener”:{“tcp”:{“address”:"[::]:8200",“cluster_address”:"[::]:8201",“tls_cert_file”:"/vault/tls/tls.crt",“tls_cipher_suites”:“TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA”,“tls_disable”:false,“tls_key_file”:"/vault/tls/tls.key",“tls_prefer_server_cipher_suites”:true}},“storage”:{“postgresql”:{}},“ui”:false}

storage-config.hcl

storage “postgresql” {

connection_url = “postgres://vault:vault123@localhost:5432/vault?sslmode=disable”

}

telemetry.hcl

telemetry {

prometheus_retention_time = “30s”

disable_hostname = true

dogstatsd_addr = “10.0.0.162:8125”

dogstatsd_tags = [“namespace=infratest”,“service=polaris-vault”]

}

vault server -config /vault/config/config.json -config /tmp/storage-config.hcl -config /tmp/telemetry.hcl

Any thoughts on whats going wrong here?

Topic		Replies	Views
Moving pki engine to another vault cluster Vault	5	1638	October 18, 2021
Agent.auth.handler: error authenticating: error=“Put "http://vault-a.vault-a.svc:8200/v1/auth/kubernetes/login\”: dial tcp x.x.x Vault k8s , vault	1	425	February 1, 2024
Recreate root CA Vault	4	562	April 25, 2023
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar - Error recieved Vault k8s , vault	0	432	August 13, 2021
Vault pki manual_chain examples? Vault	2	445	March 13, 2023

Issue with PKI engine when running vault with postgresql as backend

Related topics