Need help to assign TLS certificate on the subdomain for the server hosting HashiCorp Vault

I am totally new to HashiCorp Vault. It’s my first time using it and luckily I have got into a problem.

I have installed HashiCorp Vault on my Ubuntu 20 LTS server on AWS and it’s working fine with the Ip address when used on the browser.

http://52.7.99.42:8200/ui

I have followed this documentation for the HashiCorp Vault installation:


This is the content of my /etc/vault.d/vault.hcl file:

listener "tcp" {
address = "[0.0.0.0:8200](http://0.0.0.0:8200/)"
tls_disable = 1
}

telemetry {
statsite_address = "[127.0.0.1:8125](http://127.0.0.1:8125/)"
disable_hostname = true
}

storage "file" {
path = "/vault-data"
}

ui = true

But now my use case is that I want to access this with a domain name [hashivault.onecloudhelper.com] with a TLS certificate enabled.

(https://hashivault.onecloudhelper.com/)

I have downloaded the required keys from Certbot and have tried to make changes in the configurations.


The following are the configuration changes that I have tried at /etc/vault.d/vault.hcl file :

# HTTPS listener
listener "tcp" {
address = "[hashivault.onecloudhelper.com:8200](http://hashivault.onecloudhelper.com:8200/)"
tls_cert_file = "/etc/letsencrypt/live/[hashivault.onecloudhelper.com/fullchain.pem](http://hashivault.onecloudhelper.com/fullchain.pem)"
tls_key_file = "/etc/letsencrypt/live/[hashivault.onecloudhelper.com/privkey.pem](http://hashivault.onecloudhelper.com/privkey.pem)"
}

listener "tcp" {
address = "[0.0.0.0:8200](http://0.0.0.0:8200/)"
tls_disable = 0
}

telemetry {
statsite_address = "[127.0.0.1:8125](http://127.0.0.1:8125/)"
disable_hostname = false
}

storage "file" {
path = "/vault-data"
}

ui = true

I have gone through multiple documents but have not been able to do this action. Please help me with how can I achieve this.

Moin,

what is the exaclly error message?

Micha

1 Like

For one thing, you have 2 listener declarations for the same port, one using TLS and the other not.

If you want to make the TLS port available for a regular user on a browser, without passing an extra port to the URL, I’d suggest you put your TLS-enabled listener on port 443

1 Like

Thankyou, I got it resolved.

1 Like