Service Registration Error: “redirect address must not be empty” - when setting VAULT_API_ADDR

Hi there,

I’m running vault in a HA configuration with a consul storage backend. At startup vault gives me the error message:

[ERROR] service_registration.consul: error running service registration: redirect address must not be empty

This issue is similar to the one described here: Service Registration Error: “redirect address must not be empty”

Specifying api_addr = “http://127.0.0.1:8200” in the configuration as suggested in the discussion works and the message disappears from the logs.

According to the documentation (Server Configuration | Vault | HashiCorp Developer) I should be able to alternatively set this value via the environment variable VAULT_API_ADDR. But when only setting the environment variable and not adding the setting to the config file, I still get the error message.

Am I missing something here?

Do you start the process with the environment variable set (it’s spawning a subshell, I guess)?

VAULT_API_ADDR=... vault... 

Alternatively you’ll have to set the environment variable in the systemd unit file.
I think only setting the variable in your shell and starting vault won’t help. You’ll have to pass it to the process/ subshell.

My bad, I forgot to mention I’m running this in a kubernetes environment. The environment variables are set via the pod manifest so I think they are properly set in a “system-wide” manner before vault is started.

I ran a few tests to make sure that variables are actually set.

This is how I originally configured the vault container to run:

# this runs the 'vault server' command via docker-entrypoint.sh
...
containers:
- name: vault
   args: 
   - server
   image: vault:1.4.1
   ...

I replaced the args section with the following:

 # this just runs the 'env' command
 command:
 - env

In a second run I replaced it with this one:

 # this runs the 'env' command via docker-entrypoint.sh
 args: 
 - env

Both cases lead to successfully printing all the set environment variables:

...
VAULT_API_ADDR=https://x.x.x.x:8200
VAULT_CLUSTER_ADDR=https://x.x.x.x:8201
VAULT_REDIRECT_ADDR=https://x.x.x.x:8200
SKIP_CHOWN=nonempty
SKIP_SETCAP=nonempty
...

Note that I successfully use both SKIP_… variables to run vault as non-root (I’m running the official vault docker image ).

This is how the variables are set in the container manifest:

env:
- name: SKIP_CHOWN
  value: nonempty
- name: SKIP_SETCAP
  value: nonempty
- name: VAULT_REDIRECT_ADDR
  value: https://x.x.x.x:8200
- name: VAULT_API_ADDR
  value: https://x.x.x.x:8200
- name: VAULT_CLUSTER_ADDR
  value: https://x.x.x.x:8201

While env prints all the variables just fine, I still get the error message when starting vault as mentioned above:

2020-05-15T13:33:17.249Z [ERROR] service_registration.consul: error running service registration: redirect address must not be empty

When setting the option api_addr = "https://127.0.0.1:8200" in the config and not changing anything except recreating the vault pod, the message will not show anymore.

@Wolfsrudel I was able to verify that the environment variable VAULT_API_ADDR is exposed to the vault binary:

Not specifying VAULT_API_ADDR leads to this output:

==> Vault server started! Log data will stream in below:

2020-05-18T15:18:53.538Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-05-18T15:18:53.635Z [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-05-18T15:18:53.635Z [ERROR] service_registration.consul: error running service registration: redirect address must not be empty

When specifying VAULT_API_ADDR the WARN line from above is not shown:

==> Vault server started! Log data will stream in below:

2020-05-18T15:16:27.098Z [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-05-18T15:16:27.112Z [ERROR] service_registration.consul: error running service registration: redirect address must not be empty

This output also shows that even so vault correctly detects that VAULT_API_ADDR is set, vault still throws the initial error. This can only be prevented by specifying the api_addr option in the configuration file which, according to the documentation, should be equal to setting the VAULT_API_ADDR environment variable.

This looks like a bug to me.

1 Like

Looks like https://github.com/hashicorp/vault/issues/9016

1 Like

If it’s a known bug already we should just wait for a bugfix release and use the workaround 'til then.

this is fixed in version 1.4.2