Problem running vault server as a service on Windows 10 under nssm

Vault is successfully…

  • …installed
  • …run as manual server: vault server -config=D:/DATA/HashicorpVault/Conf/HashicorpVault.server.hcl
  • …accessed in the WEB browser
  • …using TLS, certificates are read and used OK, connection reported secure
  • …storing and retrieving persisted kv secrets across reboots and restarts
  • …shortly doing everything I expect

… except one thing:
I have to run it under a hanging cmd window, which I feel is a bit unprofessional.
So I have tried in all recommended ways (as I see it) as described on Hashicorp’s site to run it as a service under nssm.

  • Installing from a cmd shell as Administrator:

nssm install HashicorpVault “C:/Program Files/HashicorpVault/vault.exe” server -config="D:/DATA/HashicorpVault/Conf/HashicorpVault.server.hcl

  • nssm start HashicorpVault, however, always gives: HashicorpVault: Unexpected status SERVICE_PAUSED in response to START control
  • The vault is unaccessible from WEB UI
  • HashicorpVault.log is written in the expected directory, as configured in the configuration file. This indicates that the configuration file is successfully read
  • The “HashicorpVault.log” reads:
2024-12-15T00:20:54.367+0100 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2024-12-15T00:20:54.369+0100 [INFO]  incrementing seal generation: generation=1
2024-12-15T00:20:54.369+0100 [DEBUG] core: set config: sanitized config="{\"administrative_namespace_path\":\"\",\"api_addr\":\"https://127.0.0.1:8200\",\"cache_size\":0,\"cluster_addr\":\"\",\"cluster_cipher_suites\":\"\",\"cluster_name\":\"\",\"default_lease_ttl\":0,\"default_max_request_duration\":0,\"detect_deadlocks\":\"\",\"disable_cache\":false,\"disable_clustering\":false,\"disable_indexing\":false,\"disable_mlock\":true,\"disable_performance_standby\":false,\"disable_printable_check\":false,\"disable_sealwrap\":false,\"disable_sentinel_trace\":false,\"enable_response_header_hostname\":false,\"enable_response_header_raft_node_id\":false,\"enable_ui\":true,\"experiments\":null,\"imprecise_lease_role_tracking\":false,\"introspection_endpoint\":false,\"listeners\":[{\"config\":{\"address\":\"0.0.0.0:8200\",\"tls_cert_file\":\"D:/Data/HashicorpVault/Prot/Tls/HashicorpVault.crt.pem\",\"tls_key_file\":\"D:/Data/HashicorpVault/Prot/Tls/HashicorpVault.private.key.pem\"},\"type\":\"tcp\"}],\"log_file\":\"D:/DATA/HashicorpVault/Logs/HashicorpVault.log\",\"log_format\":\"\",\"log_level\":\"debug\",\"log_requests_level\":\"\",\"max_lease_ttl\":0,\"pid_file\":\"\",\"plugin_directory\":\"\",\"plugin_file_permissions\":0,\"plugin_file_uid\":0,\"plugin_tmpdir\":\"\",\"raw_storage_endpoint\":false,\"seals\":[{\"disabled\":false,\"name\":\"shamir\",\"priority\":1,\"type\":\"shamir\"}],\"storage\":{\"cluster_addr\":\"\",\"disable_clustering\":false,\"redirect_addr\":\"https://127.0.0.1:8200\",\"type\":\"file\"}}"
2024-12-15T00:20:54.369+0100 [DEBUG] storage.cache: creating LRU cache: size=0

Here is my config file:

storage "file" {
  path    = "D:/Data/HashicorpVault/Prot/Data"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_cert_file = "D:/Data/HashicorpVault/Prot/Tls/HashicorpVault.crt.pem"
  tls_key_file  = "D:/Data/HashicorpVault/Prot/Tls/HashicorpVault.private.key.pem"
}

disable_mlock = true
api_addr = "https://127.0.0.1:8200"
cluster_addr = ""
ui = true
log_level = "debug"
log_file = "D:/DATA/HashicorpVault/Logs/HashicorpVault.log"

What have I missed?

Hello,

Have you tried following this doc? (click the PowerShell tab when you open it)

Yes, this was one of the docs I read. Thanks, anyway! (Both dos and PS shell)

Thanks for confirming, will try to give this a run through again to see if I get any errors.

What version of Vault are you running? I just set up the service using nssm based on the previously shared page. Only change was I set AppPrameters to “server -dev” to start in dev mode and its running for me.

Have you tried moving the config out of the base service and setting it as in the doc?

nssm set MS_VAULT AppParameters "server -config D:/DATA/HashicorpVault/Conf/HashicorpVault.server.hcl"