Vault Raft AWS TLS bolt file Error

Vault
1

Hi! :laughing: I am having an issue updating certs to use for my deployment of Vault…

The steps I took to add the certs were to add and create them in a custom location as shown below in my hcl config

disable_performance_standby = true
ui = true

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "mynode"
  retry_join {
        leader_api_addr = "http://xxx.xx.xx.xx:8200"
    }
  retry_join {
        leader_api_addr = "http://xxx.xx.xx.xx:8200"
    }
  retry_join {
        leader_api_addr = "http://xxx.xx.xx.xx:8200"
    }
  retry_join {
        leader_api_addr = "http://xxx.xx.xx.xx:8200"
    }
  retry_join {
        leader_api_addr = "http://xxx.xx.xx.xx:8200"
    }
}

cluster_addr = "http://my.cluster.addr.xx:8201"
api_addr = "http://0.0.0.0:8200"

listener "tcp" {
 address     = "0.0.0.0:8200"
 tls_cert_file = "mypath/vault.crt"
 tls_key_file = "mypath/vault.key" 
 tls_disable = 0
}

seal "awskms" {
  region     = "someregion"
  kms_key_id = "XXXXXXXXXXXXXXXXXX"
}

#I only updated this on the leader and figured I needed to run

 vault server -config=/etc/vault.d/vault.hcl

#I get this error

"Error initializing storage of type raft: failed to create fsm: failed to open bolt file: timeout"

Everything worked as expected before I tried to make a TLS change :rofl:

I can not get to my UI at https://my-same-dns-I-could-get-to-with-http

Thanks Vault community :money_mouth_face: :money_mouth_face:

2

Hello,

Can you verify that the user Vault server is using have r/w access to /opt/vault/data path.

You also mentioned that you have added TLS parameters, it seems that the path mypath/vault.key is relative. Are the cert and the key available at this relative path.

Martin

1 Like
3

Hello,

Thanks so much for commenting back. So I deployed another sandbox test and see that I do have the correct permissions because without them I see a different error that looks like the below

Error initializing storage of type raft: failed to create fsm: failed to open bolt file: open /opt/vault/data/vault.db: permission denied

For example to the relative path I made up for the sandbox test. Versus the error I get when provisioned as expected.

"Error initializing storage of type raft: failed to create fsm: failed to open bolt file: timeout"

To make sure I conducted the test correctly could you walk me though how you would, verify that the user Vault server is using have r/w access to /opt/vault/data path??

Yes, the certs are in only the leader server. Not the others… Would they not only have to be in the leader?

Thanks!

4

Thanks, I solved it the reason for the error was the Storage path stanza was missing the word raftPreformatted text``

:rofl:

/opt/vault/data/raft

1 Like
5

Thank you @Cobra16319 . You solution worked after spending hours and hours on why it throwing permission denied errors

storage “raft” {
path = “/opt/vault/data/raft”
node_id = “node1”
}