Vault token renew

I’m using the vault, but when I renew the token, the message appears:

Error renewing token: Put “https://127.0.0.1:8200/v1/auth/token/renew”: dial tcp 127.0.0.1:8200: connect: connection refused

My vaultt.hcl:

Full configuration options can be found at Server Configuration | Vault | HashiCorp Developer

ui = true

#mlock = true
#disable_mlock = true

storage “file” {
path = “/opt/vault/data”
}

#storage “consul” {

address = “127.0.0.1:8500”

path = “vault”

#}

HTTP listener

#listener “tcp” {

address = “127.0.0.1:8200”

tls_disable = 1

#}

HTTPS listener

listener “tcp” {
address= “172.31.40.92:8200”
tls_cert_file = “/opt/vault/tls/mycert.crt”
tls_key_file = “/opt/vault/tls/mykey.key”
}

Can someone help me?

You instructed your Vault to listen on this IP address:

so that is where you must tell your Vault client to connect to.

I defined an address variable with the address of my vault, I also added my certificate on the machine, but now the error I get is:

"root@vault-teste:/home/ubuntu# vault token renew s.TAsibn5Dr3ewOyoMTOwHe3KR
Error renewing token: Error making API request.

URL: PUT https://vault-teste.sankhya.com.br:8200/v1/auth/token/v1/auth/token/renew
Code: 400. Errors:

  • missing client token"

And when I add the token in an environment variable, and run the command for renewal, I get the following error:

"Error renewing token: Error making API request.

URL: PUT https://vault-teste.sankhya.com.br:8200/v1/auth/token/v1/auth/token/renew-self
Code: 403. Errors:

  • 1 error occurred:
  • permission denied"

Vault has confusingly too many APIs for renewing tokens.

The CLI command vault token renew (no parameters) calls the API path auth/token/renew-self, which is allowed by default.

However the CLI command vault token renew SOME_TOKEN_HERE calls the API path auth/token/renew, which is not allowed unless you’ve written custom policy to allow it.

This distinction is weird, since if you possess the token, you could just send it to the auth/token/renew-self endpoint anyway, so the tighter restrictions on auth/token/renew are a pitfall for new users, without any reason I can see.

Anyway, short version, set the VAULT_TOKEN environment variable and do NOT pass the token value on the command line.

Thanks to all for your help!

I managed to solve it as follows:

1 - I added my certificate in the path “/etc/ssl/certs” and after that I updated the certificates in the OS with the command “update-ca-certificates”

2 - I added the following lines in the vault.hcl file:
disable_mlock = true
api_addr = “https://endereço.vault.com.br:8200

3 - I defined the variable in the OS with the address of my VAULT:
export VAULT_ADDR=https://endereço.vault.com.br:8200

4 - Define the variable with the root token to grant access to create new tokens:
export VAULT_TOKEN=root_token

5 - I created the new token in the policy that I had created previously, but a token without max_ttl so that it can be renewed indefinitely:
vault token create -policy=“policy” -period=30m

After these steps, I managed to create new tokens on my VAULT server and also managed to renew them, remembering that I can only renew them before they have expired.