Unable to renew token autounseal

s01u5 · May 6, 2022, 1:37pm

Hi All,

I have a setup of two vault instances and One of them is using transit auto unseal to unseal the main Vault. Both are on local domain.

Main Vault - vault1.soluspki-int.in
Unsealing Vault - vault2.soluspki-in.in

I have generated the certificates using the Vault PKI method. The certificates were working fine. The vault2 is running good, but the vault1,is facing some token new error, while auto unsealing.

This error is appearing, after the self-signed certificates were implemented. I don’t think it’s an issue with certs. But, I can’t access both the vault from my host machine after getting the vaults on domain. Previously, auto unsealing works and I can access vaults on VMs IP.

May 06 11:56:08 vault1.soluspki-int.in vault[3476]: Error parsing Seal configuration: Put "https://vault2.soluspki-int.in:8200/v1/transit/encrypt/autounseal": dial tcp 192.168.56.4:8200: connect: connection refused
May 06 11:56:08 vault1.soluspki-int.in vault[3476]: 2022-05-06T11:56:00.599Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
May 06 11:56:08 vault1.soluspki-int.in vault[3476]: 2022-05-06T11:56:04.759Z [INFO]  seal.transit: unable to renew token, disabling renewal: err="Put \"https://vault2.soluspki-int.in:8200/v1/auth/token/renew-self\": dial tcp 192.168.56.4:8200: connect: connection refused"

Main Vault - vault1.soluspki-int.in Config:

# Full configuration options can be found at https://www.vaultproject.io/docs/configuration
ui = true
storage "raft" {
  path = "/opt/vault/data"
  node_id = "node_1"
}
# HTTPS listener
listener "tcp" {
  address       = "vault1.soluspki-int.in:8200"
  tls_disable    = 0
  tls_cert_file  = "/home/vagrant/certs/fullchain.crt"
  tls_key_file   = "/home/vagrant/certs/vault1.key"
}
api_addr = "https://vault1.soluspki-int.in:8200"
cluster_addr = "https://vault1.soluspki-int.in:8201"
disable_mlock = true
ui=true

seal "transit" {
  address = "https://vault2.soluspki-int.in:8200"
  disable_renewal = "false"
  key_name = "autounseal"
  mount_path = "transit/"
  token = "<token-here>"
  tls_skip_verify = 0
}

Unsealing Vault - vault2.soluspki-in.in Config:

# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

storage "file" {
  path = "/opt/vault/data"
  node_id = "node_1"
}

# HTTPS listener
listener "tcp" {
  address       = "vault2.soluspki-int.in:8200"
  tls_disable    = 0
  tls_cert_file  = "/home/vagrant/certs/fullchain.crt"
  tls_key_file   = "/home/vagrant/certs/vault2.key"

}
api_addr = "https://vault2.soluspki-int.in:8200"
cluster_addr = "https://vault2.soluspki-int.in:8201"
disable_mlock = true
ui=true

My intention is to, test the certs and cant’ even access vault from Windows Host machine. I have added the following IPs to my Windows /etc/hosts file too.

Please help me out. I can’t figure it out.

maxb · May 6, 2022, 2:05pm

s01u5:

May 06 11:56:08 vault1.soluspki-int.in vault[3476]: Error parsing Seal configuration: Put "https://vault2.soluspki-int.in:8200/v1/transit/encrypt/autounseal": dial tcp 192.168.56.4:8200: connect: connection refused

This line shows certificates are not the problem. Rather, vault1 isn’t even able to open a TCP connection to vault2.

Is vault2 even running?

s01u5 · May 6, 2022, 2:18pm

Yes, it’s running just fine.

s01u5 · May 9, 2022, 5:02am

Hello again @maxb . I have spent the weekend on figuring out this issue. But, no luck. Can you help me here to resolve this issue, please?

maxb · May 9, 2022, 8:36am

I wonder if the problem is that you are using hostnames in your listener.address configuration.

This could lead to your Vault listeners being bound to an unexpected IP address depending on DNS resolution.

This would potentially explain

So, check what IP addresses your Vaults are actually listening on - e.g.

netstat -tlnp

s01u5 · May 9, 2022, 8:47am

Thanks for that. I have changed the config of Vault2 and able to access the vault form Host on https. But, when I do vault status

Error checking seal status: Get "https://vault2.soluspki-int.in:8200/v1/sys/seal-status": dial tcp 127.0.3.1:8200: connect: connection refused

vagrant@vault2:~$ cat /etc/vault.d/vault.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

storage "file" {
  path = "/opt/vault/data"
  node_id = "node_1"
}

# HTTPS listener
listener "tcp" {
  address       = "192.168.56.4:8200"
  tls_disable    = 0
  tls_cert_file  = "/home/vagrant/certs/fullchain.crt"
  tls_key_file   = "/home/vagrant/certs/vault2.key"

}

api_addr = "https://192.168.56.4:8200"
cluster_addr = "https://192.168.56.4:8201"
disable_mlock = true
ui=true

s01u5 · May 9, 2022, 9:55am

Thank you so much @maxb . I got it working with you advice.

Topic		Replies	Views
Transit autounseal tokens aren't renewing themselves Vault	7	2967	February 5, 2020
Key renewal for "Auto-unseal using Transit Secrets Engine" Vault	12	4181	September 20, 2021
Vaul not renewing autounseal token Vault vault	1	359	June 2, 2021
Vault token renewal(auto unseal transit secrets engine) Vault	2	1126	May 31, 2021
Core.autoseal: failed to encrypt seal health test value, seal backend may be unreachable Vault	4	224	June 26, 2024

Unable to renew token autounseal

Related topics