Vault with TLS Enabled won't start - connection refused by the listener

I’ve been having an issue where my vault server won’t start and gives an error of “connection refused.”
Build: Vault v1.4.2 installed locally on Debian GNU/Linux 10 (buster). Certificates are installed in /etc/ssl/... (tried as owned by root and vault) and I’ve tried every combination of http:// and https:// and and the $vaulthostname:8200 I can think of between /etc/vault.d/vault.hcl, VAULT_ADDRenv variable, and using the -address= flag in the vault commands.

In every case, I get Error initializing: Put https://$hostname:8200/v1/sys/init: dial tcp $hostname:8200: connect: connection refused and the most relevant information I can gleam from logs is vault[2815]: Error initializing listener of type tcp: error loading TLS cert: open /etc/ssl/private/vault-sf.key: permission denied

Is the issue that the certificate is the wrong format? it’s .cer format with a separate private key.

Which user are you running Vault as?
Are you running from CLI or systemd?
What are the permissions on the key file (ie, ls -la on that)?

Thanks for responding Miek.

In the course of getting this info for you I tried something. I still get an error when running systemctl status vault but tried logging into root from the console and running systemctl vault start and then vault server -config=/etc/vault.d/vault.hcl It worked and I almost threw my rubber ducky across the room (I’ve been wrestling with this particular problem for 2 weeks). So now I’ll shift to asking you what is happening here so I can post my config for the next person who runs into these problems.

May I hazard a guess that the reason connections were refused is that the vault service wasn’t running and port 8200 wasn’t opened (confirmed by nmap). I had understood that the systemctl start vault also runs the equivalent of the vault server command. That being said, systemctl status vault gets me the following errors

 vault.service - "HashiCorp Vault - A tool for managing secrets"
   Loaded: loaded (/etc/systemd/system/vault.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2020-06-29 17:38:15 PDT; 16min ago
  Process: 6050 ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl (code=exited, status=1/FAILURE)
 Main PID: 6050 (code=exited, status=1/FAILURE)

Jun 29 17:38:15 $vaulthostname systemd[1]: vault.service: Service RestartSec=5s expired, scheduling restart.
Jun 29 17:38:15 $vaulthostname systemd[1]: vault.service: Scheduled restart job, restart counter is at 3.
Jun 29 17:38:15 $vaulthostname systemd[1]: Stopped "HashiCorp Vault - A tool for managing secrets".
Jun 29 17:38:15 $vaulthostname systemd[1]: vault.service: Start request repeated too quickly.
Jun 29 17:38:15 $vaulthostname systemd[1]: vault.service: Failed with result 'exit-code'.
Jun 29 17:38:15 $vaulthostname systemd[1]: Failed to start "HashiCorp Vault - A tool for managing secrets".

Am I missing something?

What does just running
vault server -config=/etc/vault.d/vault.hcl


Please inspect where syslog entries for Vault are configured to go and find out what errors Vault was generating when it was failing to start up. That is essential information for debugging your problem.