Re: [vault] "Code: 503. Raw Message:" when checking vault status

[Armon Dadgar]

Kolby,

This error is likely coming from the ELB itself, not from Vault.

My guess is that the Vault is sealed, so its returning an unhealthy error

code to ELB, meaning ELB has no instances to route traffic to and is

returning a 503 to clients.

I would check and make sure the Vault instances are unsealed and healthy,

as the ELB is masking the true status.

Best Regards,

Armon Dadgar

On January 15, 2016 at 7:06:57 PM, Kolby Dauler (kolby....@gmail.com) wrote:

Hey,

I'm getting:

$ vault status
Error checking seal status: Error making API request.

URL: GET https://vault-1870068235.us-east-1.elb.amazonaws.com/v1/sys/seal-status
Code: 503. Raw Message:

Docs say: 503 - Vault is down for maintenance or is currently sealed. Try again later.

Context - I'm currently migrating Vault from Ubuntu to our hardened image (Centos). I can confirm Vault installs and starts successfully on both images but I can only connect to the Ubuntu image. We are using Terraform so I only make two changes (AMI ID and Ubuntu or Centos install script) when switching between the two so the configuration for the two is identical as far as cert, autoscale config, vpc + routing, etc.

Are there more details around what this error is saying or does anyone have an idea what could be going on?

Thanks
Kolby

 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/308cd1bb-52fa-47ac-8f2b-476efca3a75e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kolby Dauler]

Hi Armon,

You are correct in that the vault is sealed as every time I terraform apply to switch between I need to unseal since the service is restarting. When using the Ubuntu image I am able to unseal and check status but when switching to Centos behind the same ELB I just get the 503. Good call with looking at ELB, I'm enabling ELB logs now to see what backend status code the ELB is getting from the Vault instance. I'll come back with what I find.

Thank you,
Kolby

[Kolby Dauler]

Hey,

Apologies for the delay I, meant to update here sooner. You were correct in that the error was coming from the ELB rather than Vault. I was using iptables to open 8200 on the instance (hardened) which was no longer working because we just upgraded to Centos 7 from 6 which now uses firewalld. As a result, the Vault instances were failing health checks since the ELB couldn't reach 8200 so the ELB sent the error. As soon as I opened 8200/tcp with firewalld the health checks passed and everything is working fine now.

Thanks for the help

Kolby

On Tuesday, January 19, 2016 at 11:17:46 AM UTC-8, Armon Dadgar wrote: