Menu
I am working on generating self-signed certificates with Hashicorp vault and successfully generated the CA certificate, issuing ca, ca-chain and private keys using these links below:
Policies, Build Your Certificate. I'm also able to import the resultant .pem which is the combination of the certificate, issuingCa, caChain and privateKey file into a Java keystore successfully with keytool to get a .jks.
So, I start vault successfully using this command vault server -config=config.hcl with the output below:
==> Vault server configuration:
Api Address: https://test.sammy.com:8200
Cgo: disabled
Cluster Address: https://test.sammy.com:8201
Listener 1: tcp (addr: "127.0.0.1:9000", cluster address: "127.0.0.1:9001", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Listener 2: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
Log Level: info
Mlock: supported: true, enabled: true
Recovery Mode: false
Storage: inmem
Version: Vault v1.4.2
==> Vault server started! Log data will stream in below:
2020-06-28T23:37:01.489+0100 [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
using the configuration file config.hcl (shown below) from this StackOverflow question:
backend "inmem" {}
listener "tcp" {
address = "127.0.0.1:9000"
tls_disable = 1
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 0
tls_cert_file = "/Vault/pki_ca_cert_chain.pem"
tls_key_file = "Vault/vault.key.pem"
}
# Advertise the non-loopback interface
api_addr = "https://test.sammy.com:8200"
cluster_addr = "https://test.sammy.com:8201"
I use this command to expose the server address:export VAULT_ADDR='https://test.sammy.com:8200'.
The issues I've got now are, when I run this command to view the server status vault status, I get the error below:
Error checking seal status: Get https://test.sammy.com:8200/v1/sys/seal-status: dial tcp 45.33.2.79:8200: connect: no route to host
My Spring Boot application picks the truststore file up but throws this exception at runtime:
I/O exception (java.net.NoRouteToHostException) caught when processing request to {s}->https://test.sammy.com:8200: No route to host (Host unreachable) or simply, Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable). My bootstrap.yml looks like this
spring:
application:
name: hashicorp-spring-app
cloud:
vault:
enabled: true
host: test.sammy.com
port: 8200
scheme: https
authentication: cert
ssl:
trust-store: classpath:vault-truststore.jks
trust-store-password: somethingsecret
I get a different error when I try to initialize vault using this command:vault operator init
Error initializing: Put https://test.sammy.com:8200/v1/sys/init: dial tcp 45.79.19.196:8200: i/o timeout
I've tried this link to fix it but, I still get the I/O timeout error above. I'm quite sure I've missed something possibly simple and have combed the internet to find a straightforward solution for this but can't seem to find any so please, any help will be appreciated!!!
668
Your Vault instance listens to the loopback address only, because of this code:
listener "tcp" {
address = "127.0.0.1:9000"
tls_disable = 1
}
So you have 2 choices:
VAULT_ADDR=127.0.0.1:9000 in your environment variablesaddress = 0.0.0.0:9000 and use standard networking to reach that Vault that listens on all interfaces.As for api_addr, it is used to tell Vault how to advertise itself to its clients. It is not used for reaching it in the first place. So the value to put there depends on how your clients can reach Vault. For example, it's that address that will be sent to clients who op-out of Vault request forwarding with X-Vault-No-Request-Forwarding: 1.
The cluster_addr parameter is different : it is used by Vault only, never your clients. Vault uses it to reach consensus with Integrated storage, or to replicate with other clusters if you use Vault Enterprise.
86
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
