Why can't I configure Https access to my Hashi Vault server? Http works but Https breaks everything

jonm · December 4, 2024, 6:51am

I have been trying all day without success to get Vault to allow https connection.

The configuration is: Ubuntu EC2 AWS server with Vault installed.

WORKING HTTP

I can run Vault and connect by http if I do two things:

set export VAULT_ADDR=http://127.0.0.1:8200 and
in nano /etc/vault.d/vault.hcl set:

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

With this configuration I can go to http://ipaddress:8200 or http://domainname.com:8200 and see the vault login page. I can also run vault status & vault operator unseal when needed and unlock the vault and get normal status outputs.

CHANGE TO HTTPS?

Once I try to change to https however, everything breaks down.

The steps I have tried in various combinations are:

set export VAULT_ADDR=https://127.0.0.1:8200
in nano /etc/vault.d/vault.hcl set:

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 0
  tls_disable_client_certs = "true"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file = "/opt/vault/tls/tls.key"
}

copy my certificate (concatenated as main cert plus bundle certs all in one file) as tls.crt at this path and tls.key for my private key (confirmed they are readable from command line at these file locations also)
restart the Vault service with sudo systemctl restart vault
try to unseal with vault operator unseal
update certs with sudo pkill -SIGHUP vault

However, none of this works. I cannot get vault to run or unseal or provide any useful output once I have made the above changes.

As soon as I update VAULT_ADDR=https://127.0.0.1:8200, comment in the new listener in vault.hcl, and run sudo systemctl restart vault everything is broken.

vault status gives

Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": dial tcp 127.0.0.1:8200: connect: connection refused

vault operator unseal allows me to put in a key but then says:

Error unsealing: Put "https://127.0.0.1:8200/v1/sys/unseal": dial tcp 127.0.0.1:8200: connect: connection refused

telnet 127.0.0.1 8200 gives telnet: Unable to connect to remote host: Connection refused

What am I supposed to do? I cannot for the life of me find any reference or anything that can suggest a solution or how this is supposed to work.

Puzzlingly, I also find there is an environmental variable for CAPATH which I do not know the point of.

Are we not supposed to be setting the path to our https certificate and key files in the listener as above? Are we supposed to set it twice?

What might be the missing link? Any help? I am at my wit’s end and can’t solve this. Thanks for any suggestions or ideas of any kind.

jonm · December 5, 2024, 6:13pm

Further discussion and solutions (as well as recommended “bug” fix) here:

github.com/hashicorp/vault

Cannot configure working HTTPS Vault installation? Vault program broken (vs. lack of documentation)?

opened 02:50AM - 05 Dec 24 UTC

jonmdev

**Describe the bug** Cannot create a working HTTPS installation following all… available instructions online. **To Reproduce** ## 1) Start with raw Ubuntu EC2, install Vault: ``` wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list sudo apt update && sudo apt install vault ``` ## 2) Init the Vault ``` vault operator init vault operator unseal <key1> vault operator unseal <key2> vault operator unseal <key3> vault login <root_token> ``` ## 3) Create Vault Service `sudo nano /etc/systemd/system/vault.service` ``` [Unit] Description=HashiCorp Vault - A tool for secrets management Documentation=https://www.vaultproject.io/docs/ After=network.target [Service] User=vault Group=vault ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl Restart=on-failure LimitNOFILE=65536 StandardOutput=journal StandardError=journal ExecReload=/bin/kill -HUP $MAINPID KillMode=process KillSignal=SIGINT TimeoutStopSec=30 [Install] WantedBy=multi-user.target ``` ` sudo systemctl enable vault` `sudo reboot` ## 3) Set VAULT_ADDR environmental variable `sudo nano /etc/environment` `VAULT_ADDR="http://127.0.0.1:8200"` ## 4) Set AWS auto-unseal: Make AWS key and policy for the EC2: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-east-1:THE_ARN_OF_THE_KEY" } ] } ``` Add the HTTP listener and key to vault.hcl: `sudo nano /etc/vault.d/vault.hcl` ``` # HTTP listener listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } seal "awskms" { region = "us-east-1" # Specify the region where your CMK is located kms_key_id = "arn:aws:kms:us-east-1:THE_ARN_OF_THE_KEY" # The ARN of your KMS key } ``` `sudo reboot` `vault operator unseal -migrate` x3 times `sudo reboot` At this point everything will still work properly. `vault status` will show an unsealed vault which is running correctly. http://ip:8200 will take you to the Vault login page. ## 5) Switch to HTTPS Here is where everything goes wrong. `sudo nano /etc/vault.d/vault.hcl` ``` # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 # Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration ui = true #mlock = true #disable_mlock = true storage "file" { path = "/opt/vault/data" } #storage "consul" { # address = "127.0.0.1:8500" # path = "vault" #} # HTTP listener #listener "tcp" { # address = "0.0.0.0:8200" # tls_disable = 1 #} # HTTPS listener listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/opt/vault/tls/tls.crt" tls_key_file = "/opt/vault/tls/tls.key" tls_disable_client_certs = "true" tls_disable = 0 } # Enterprise license_path # This will be required for enterprise as of v1.8 #license_path = "/etc/vault.d/vault.hclic" # Example AWS KMS auto unseal seal "awskms" { region = "us-east-1" kms_key_id = "arn:aws:kms:key_information } # Default unseal method #seal "shamir" { # secret_shares = 5 # secret_threshold = 3 #} # Example HSM auto unseal #seal "pkcs11" { # lib = "/usr/vault/lib/libCryptoki2_64.so" # slot = "0" # pin = "AAAA-BBBB-CCCC-DDDD" # key_label = "vault-hsm-key" # hmac_key_label = "vault-hsm-hmac-key" #} ``` Update environmental address to https: `sudo nano /etc/environment` `VAULT_ADDR="https://127.0.0.1:8200"` Set permissions for tls cert/locations so can add certificates/key: ``` sudo chown -R ubuntu:ubuntu /opt/vault/tls sudo chmod -R u+w /opt/vault/tls sudo chmod u+w /opt/vault/tls/tls.crt sudo chmod u+w /opt/vault/tls/tls.key ``` Copy certificates (as main cert + any bundle or CA concatenated in that order in one file) to file path in vault.hcl, and private key also as other file. Confirm these are correct and located there: `cat "/opt/vault/tls/tls.crt"` `cat "/opt/vault/tls/tls.key"` `sudo systemctl restart vault` `sudo reboot` ## 6) Result: System is now broken At this point, nothing will run anymore. Cannot restart Vault. No meaningful error output by any logs. Cannot run `vault status` or anything. **Expected behavior** Based on all available documentation I believe these are the correct steps to run to make this work. However, after following these steps, I get nothing meaningful anymore: ### `vault status`: ``` Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": dial tcp 127.0.0.1:8200: connect: connection refused ``` ### `vault operator unseal` ``` Error unsealing: Put "https://127.0.0.1:8200/v1/sys/unseal": dial tcp 127.0.0.1:8200: connect: connection refused ``` ### `sudo journalctl -u vault -f | more` ``` Dec 05 02:39:38 ip-172-31-19-38 vault[1358]: 2024-12-05T02:39:38.756Z [INFO] incrementing seal generation: generation=1 Dec 05 02:39:38 ip-172-31-19-38 vault[1358]: 2024-12-05T02:39:38.756Z [WARN] no `api_addr` value specified in config or in VAULT _API_ADDR; falling back to detection if possible, but this value should be manually set Dec 05 02:39:38 ip-172-31-19-38 vault[1358]: 2024-12-05T02:39:38.804Z [INFO] core: Initializing version history cache for core Dec 05 02:39:38 ip-172-31-19-38 vault[1358]: 2024-12-05T02:39:38.804Z [INFO] events: Starting event system Dec 05 02:39:38 ip-172-31-19-38 systemd[1]: vault.service: Main process exited, code=exited, status=1/FAILURE Dec 05 02:39:38 ip-172-31-19-38 systemd[1]: vault.service: Failed with result 'exit-code'. Dec 05 02:39:39 ip-172-31-19-38 systemd[1]: vault.service: Scheduled restart job, restart counter is at 5. Dec 05 02:39:39 ip-172-31-19-38 systemd[1]: vault.service: Start request repeated too quickly. Dec 05 02:39:39 ip-172-31-19-38 systemd[1]: vault.service: Failed with result 'exit-code'. Dec 05 02:39:39 ip-172-31-19-38 systemd[1]: Failed to start vault.service - HashiCorp Vault - A tool for secrets management. ``` Thus nothing is working anymore and I cannot obtain any meaningful explanation or output for why. Furthermore (as a bonus issue), if I go back to http and try to remove the AWS unseal in this condition (to see if will help), I can again no longer startup. In this case (back to http and remove aws seal) I get from `sudo journalctl -u vault -f | more`: ``` Error initializing core: cannot seal migrate from "awskms" to Shamir, no disabled seal in configuration ``` So it appears we additionally can not remove the aws unseal once placed? **Environment:** * Vault Server Version (retrieve with `vault status`): Version 1.18.2 * Vault CLI Version (retrieve with `vault version`): Vault v1.18.2 (e36bac59ddb8e10e8912c0ddb44416c850939855), built 2024-11-20T11:24:56Z * Server Operating System/Architecture: Ubuntu 22 standard EC2 **Additional context** If this is a working system, and it is user error on my part, is there any documentation anywhere that explains the problem? I have been reading Hashi website and querying ChatGPT for days now trying to get this running and I am no closer to success. I find no information to explain what the issue might be. I can obtain no helpful output from my system to tell me what the problem is. I would hope for any of the following: 1) The bug (if any) is fixed 2) There can be clear errors debugged out from Vault to tell the user the configuration problem or solution if there is one 3) Clear documentation explaining how to configure this if it does in fact work (for example, to extend from [this](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-deploy)) Thanks for any help.

technical · February 13, 2025, 1:52pm

Check ownership and perms on your certs.
It had me for a while: they need to be vault:vault readonly

Topic		Replies	Views
TLS config for Vault UI Vault	2	2016	November 13, 2020
How to enable HTTPS for Vault Server built on VM Vault	1	406	April 7, 2022
Hashicorp Vault : “ Error initializing listener of type tcp: error loading TLS cert ” Where is my mistake? Vault	9	8965	November 15, 2020
Need help to assign TLS certificate on the subdomain for the server hosting HashiCorp Vault Vault vault	3	428	April 2, 2023
Issues with TLS configuration for Vault Vault	4	3575	August 21, 2023

Why can't I configure Https access to my Hashi Vault server? Http works but Https breaks everything

WORKING HTTP

CHANGE TO HTTPS?

Related topics