Vault Init Barrier Issues

[Hunter Fontenot]

Hi, I'm trying to initialize vault with a basic consul backend. This is my vault config (copy and paste of the one in the instructions):

backend "consul" {

  address = "127.0.0.1:8500"

  path = "vault"

}

listener "tcp" {

 address = "127.0.0.1:8200"

 tls_disable = 1

}

I have a consul server and two agents running, and the 'vault server' command starts the server, 

i set the VAULT_ADDR to 'http://127.0.0.1:8200' to avoid the https conflict, but when i try to 'vault init', this is the log output:

core: security barrier not initialized

core: failed to write seal configuration error=Unexpected response code: 403 (Permission denied)

core: failed to save barrier configuration error=failed to write seal configuration: Unexpected response code: 403 (Permission denied)

I can then use 'vault status' to get this:

Sealed: true

Key Shares: 5

Key Threshold: 3

Unseal Progress: 0

Version: Vault v0.6.1

High-Availability Enabled: true

Mode: sealed

Which means that the vault init is going through, but not outputting the keys for me to save and use. This then seals the vault and i have

no keys to unseal it.

I'm really hoping this is something simple that I'm missing as I am relatively new to this field. Thanks! -Hunter

[David Adams]

Looks like Vault has already been initialized using that backend. If you don't have the keys, you can delete the 'vault/' prefix in consul or you can set it to use a different prefix in your vault config.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c5847c2b-391e-4f8c-977c-ca2bc11b2582%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Hunter Fontenot]

Vault isn't even showing up on Consul though. Which makes me think it may be a vault-consul connection issue or consul issue ultimately. Thanks for the quick reply :D

[Hunter Fontenot]

*** EDIT: Wanted to clarify that i ran 'vault status' before using vault init and it returned that the server was not initialized. So vault was definitely not initialized beforehand. ***

[Jeff Mitchell]

Are you using ACLs with Consul?

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/e15d608b-c0a7-4221-96e6-aff9bc81ccd5%40googlegroups.com.

[Hunter Fontenot]

Nope, I haven't set anything up yet, super basic install

[Jeff Mitchell]

What version of Consul are you using? That error message appears to be
coming from Consul.

Best,
Jeff

On Wed, Sep 21, 2016 at 2:06 PM, Hunter Fontenot
<hunter...@gmail.com> wrote:
> Nope, I haven't set anything up yet, super basic install
>

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/7d8fd2a0-1b68-4036-bf6d-f05fbac193ef%40googlegroups.com.

[Hunter Fontenot]

Consul v0.7.0

[Jeff Mitchell]

Hi Hunter,

I just tried this with fresh Consul 0.7 and can't replicate. What's
your Consul setup?

Best,
Jeff

On Wed, Sep 21, 2016 at 2:13 PM, Hunter Fontenot
<hunter...@gmail.com> wrote:
> Consul v0.7.0

>
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/1e94b473-0203-458e-9ab6-5caa52bc1d55%40googlegroups.com.

[Hunter Fontenot]

I'm also trying to run vault on Server A, just to add

[Hunter Fontenot]

I have one consul-server agent, two non-consul-server agents. I start them all and use consul join to add the others. With this setup, I can see all of them in the consul ui in my browser. 

Server A (the one with server enabled and the ui, ip: x.x.x.11) :

{

    "bootstrap": true,

    "server": true,

    "log_level": "DEBUG",

    "enable_syslog": true,

    "datacenter": "dc1",

    "addresses" : {

      "http": "0.0.0.0"

    },

    "bind_addr": "x.x.x.11",

    "node_name": "x.x.x.11",

    "data_dir": "/etc/consul.d/consuldata",

    "ui_dir": "/etc/consul.d/consul-ui",

    "acl_datacenter": "dc1",

    "acl_master_token": "",

    "acl_default_policy": "deny",

    "encrypt": ""

}

Servers B (x.x.x.9) and C (x.x.x.10):

{

    "bootstrap": false,

    "server": false,

    "log_level": "DEBUG",

    "enable_syslog": true,

    "datacenter": "dc1",

    "addresses" : {

      "http": "0.0.0.0"

    },

    "bind_addr": "x.x.x.9",

    "node_name": "x.x.x.9",

    "data_dir": "/etc/consul.d/consuldata",

    "acl_datacenter": "dc1",

    "acl_master_token": "",

    "acl_default_policy": "deny",

    "encrypt": ""

}

The tokens and encrypt keys are there in the real configs

[Jeff Mitchell]

Hi Hunter,

Using 'acl_datacenter' in your Consul config turns on ACLs, which are
set to default deny. But you don't appear to be giving Vault an ACL
token, so it's being denied when trying to actually persist the
barrier configuration.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/d0f9608f-f61c-4ac2-a38e-70b240da396e%40googlegroups.com.

[Hunter Fontenot]

Wow, that was it. It's working now! Thanks for your help, Jeff! -Hunter