Unable to enable any secret engine

Hi,

I’m running into many errors with Vault.
Vault is in a cluster with a load balancer in GCP.
I’ve succeeded to unseal it and create a policy (with its token)…but when i’m trying to enable the kv secret engine (for example, because I’ve the same problem with any other secrets engines), it always returns me the same error message :
Error listing secrets engines: Get “http://127.0.0.1:8200/v1/sys/mounts”: dial tcp 127.0.0.1:8200: connect: connection refused

And this error message comes up no matter if I add “VAULT_ADDR=http://xxxxxx:8200” as environment variable.
When I add “-address=http://xxxxxx:8200” as additional option flag at the end of the command (like : vault secrets enable kv -address=“http://xxxxxx:8200”), it doesn’t returns another error : Too many arguments (expected 1, got 2)

Thanks for any kind of help.

By default it should be listening on 8200. So running vault commands from the CLI on one of the servers should connect. Post your config file and it might show whats misconfigured.

Hi and thanks for you reply.
Here my config file:

I am guessing Vault isn’t even starting up, or can’t start the listener - listener’s cluster_address needs to be server to server communication, 8201
Listener address should be 8200

If changing that doesn’t work, restart vault service and post the log.

Thanks, but even after having modified the port for cluster_address in the listener…I still have the same problem.
I’ve already tried with the load balancer IP and the dns name in address and cluster_address in the listener…and it was the same.


If changing that doesn’t work, restart vault service and post the log…

Hi,

I’ve made some updates in the “listener” section of the config file : two “tcp” blocks, one with the local ip and the second with the load balancer ip.
Also, the “cluster_ip” with the local ip and the “api_addr” with the load balancer ip.

When i run the following command from any other VM outside the cluster:

vault secrets enable kv

I get the following error message :

Error enabling: Post “https://127.0.0.1:8200/v1/sys/mounts/kv”: dial tcp 127.0.0.1:8200: connect: connection refused

When I try the following command :

vault secrets enable kv -address=“http://xxxxxxxxxxx:8200

I get :

Too many arguments (expected 1, got 2)

When I try :

VAULT_ADDR=“http://xxxxxxxxx:8200” vault secrets enable -path=xxx kv

It works…but I already registered VAULT_ADDR=“http://xxxxxxxxx:8200” as an environment variable (It’s the first thing I do on connecting to the VM on which I’m working).

This is not recommended due to possibly loop conditions. It should normally be the internal cluster address.

That is incorrect syntax. See Commands (CLI) | Vault by HashiCorp

For the first point : I believe it too…but it seems the internal ip address configured in the api_addr block didn’t work as expected.

For the second point : I know the correct syntax, don’t worry. I think i’ve found a workaround with the good environment value for VAULT_ADDR variable inside the systemd service file.

I think the case can be closed as for now…If I have any other problems , i’ll open a new case.

Many thanks :slight_smile: