Vault doesn't work without configured env var (trying to connect on https://127.0.0.1)

Vault
1

Hi there!

I think it seems to be related to: Vault agent template doesn't seem to respect env vars (but even if it’s merged, we still have the issue with v.1.4.2 release).

We have the issue with our staging/production setup, that Vault can’t establish the connection to itself without configured environment variable VAULT_ADDR='https://vault-production.domain.com'.

We run both consul and vault in a cluster on same nodes, so basically Vault uses Consul as backend on localhost.

This is our Vault config from one host:

{
  "listener": {
    "tcp": {
      "tls_disable": 0,
      "address": "0.0.0.0:8200",
      "cluster_address": "10.1.21.91:8201",
      "tls_cert_file": "/etc/ssl/certs/domain_com.crt",
      "tls_key_file": "/etc/ssl/private/domain_com.key"
    }
  },
  "storage": {
    "consul": {
      "address": "127.0.0.1:8500",
      "path": "vault/"
    }
  },
  "disable_mlock": 0,
  "ui": true,
  "api_addr": "https://10.1.21.91:8200",
  "cluster_name": "vault-staging"
}

But vault status responds with Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs.

After setting env var VAULT_ADDR='https://vault-staging.domain.com' it works flawlessly. I have no idea why it takes https://127.0.0.1 by default… Do we miss something in the config to avoid exporting env vars on each host?

Thx and have a nice day!

2

The Vault binary needs to know where to look for the Vault service, hence requiring the VAULT_ADDR being set. If that is missing, it defaults to https://127.0.0.1:8200
When it does that, it tries to verify the certificate against the URL and needs to see 127.0.0.1, if your cert does not contain that, you will get, as expected:

You need to either add 127.0.0.1 to your cert (which some sec managers will not do), or, export your VAULT_ADDR variable with a FQDN.

And also - We run both consul and vault in a cluster on same nodes
Generally not recommened, if this is for production usage make sure you are monitoring memory, KV size, lease size/ttl so you don’t blow up your cluster (either consul or vault).

2 Likes
3

Ah, that explains everything. I saw it only in the first guide of Vault for the local development server, but wasn’t sure about production setup and if one still needs the environment variable. Thx for the fast response and explanation!

And yes, we are aware of the risk running it on same nodes, but our consul/vault setup is pretty small and we also monitor everything about host and services running. But nevertheless thank you for the warning! :slight_smile: