Vault in Prod mode starts in Sealed state after installation

timjar3 · July 6, 2022, 7:55am

I installed vault in prod mode, using this configuration -

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable = 1
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

after running the vault.service and checking for vault status, It is pre initialised and sealed and unable to unseal it. Please help

 vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       3
Threshold          2
Unseal Progress    0/2
Unseal Nonce       n/a
Version            1.11.0
Build Date         2022-06-17T15:48:44Z
Storage Type       file
HA Enabled         false

aram · July 6, 2022, 10:03am

You can run hcdiag to see if it can detect any permission or filesystem issues.

The detail – /opt/vault/data should have 3 directories in it, all owned by the user that started Vault – most likely there is either an ownership or permission issue there.

timjar3 · July 6, 2022, 10:49am

I could find 3 directories inside /opt/vault/data
changed the ownership and permissions
tried to regenerate master token with the below command, but throws an error.

$ vault operator generate-root -generate-otp

Error getting root generation status: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/generate-root/attempt

Code: 503. Errors:

Vault is sealed

aram · July 6, 2022, 11:21am

Your vault is sealed. you have to unseal it. Run that hcdiag tool.

maxb · July 6, 2022, 6:32pm

Vault does not pre initialise.

I can think of two possibilities:

You are running Vault with some kind of custom wrapper that does this.
Or, you have started up Vault with a data directory from a previous experiment, that was initialised.

timjar3 · July 7, 2022, 5:30am

Thanks max for the reply

not sure about the wrapper, I doubt that as it was a clean install.
I made sure to delete /opt/vault/data directory or any vault sub folder before reinstalling.
This is demo install on a prod server,

did chown on tsl directory to vault user
exported VAULT_ADDR
Why do I not see any certs being generated on starting vault.service in the tsl folder.

Not sure, What am I missing .

timjar3 · July 7, 2022, 5:32am

Thanks Aram for the reply,

Will try this out and update.

maxb · July 7, 2022, 5:38am

That’s a typo for tls I assume?

Why would you expect to see certs being generated? Vault doesn’t automatically generate certificates and write them to disk.

There’s really no way to explain this other than:

You manually initialized Vault
Someone else manually initialized Vault
Some software, that is not the main Vault binary itself, initialized Vault