run vault on port 80/443

[Thomas....@gmx.de]

Hey,

I'm trying to run vault on port 80/443.

Currently I'm running the vault behind apache which is redirecting 80->443 ProxyPass to 8200

I want to disable the apache but vault dont start with config on port 80.

ui = true

storage "file" {

      path = "/var/lib/vault"

}

listener "tcp" {

      address     = "10.2.0.2:80"

        tls_disable = 1

}

listener "tcp" {

      address     = "127.0.0.1:80"

        tls_disable = 1

}

does anyone have something like this in his vault?

[mic...@hashicorp.com]

Hi,

you defined two listeners which try to listen to the same port via one network interface which is not possible.

You can just use one listener and use the address "0.0.0.0:80" which basically means that all incoming traffic (from any network interface) is accepted.

If you really want to only listen to traffic which comes from "10.2.0.2" and "127.0.0.1" you need to define a different port for at least one listener.

Cheers,

Michel

[Thomas....@gmx.de]

vault status

Error checking seal status: Get http://127.0.0.1:80/v1/sys/seal-status: dial tcp 127.0.0.1:80: connect: connection refused

root@vault-dev:~# systemctl start vault

root@vault-dev:~# vault status

Error checking seal status: Get http://127.0.0.1:80/v1/sys/seal-status: dial tcp 127.0.0.1:80: connect: connection refused

root@vault-dev:~# cat /etc/vault/vault.hcl

ui = true

storage "file" {

      path = "/var/lib/vault"

}

listener "tcp" {

      address     = "0.0.0.0:80"

        tls_disable = 1

}

this is what it looks now, still not working...

[mic...@hashicorp.com]

Please check the logs (journalctl -u vault). I guess you need to start vault as root because port 80 and 443 are secured by the OS.

[Thomas....@gmx.de]

Error initializing listener of type tcp: listen tcp4 0.0.0.0:80: bind: permission denied

whoami

root

[mic...@hashicorp.com]

You are root but since you are using systemd to start your service (in this case Vault) it might be another user. Please check the systemd configuration for Vault on your host.

Usually, the file is located at "/etc/systemd/system/vault.service" but it can be different dependent on the used OS.

One additional note: It is not recommended to run Vault under the root user.

[Thomas....@gmx.de]

Mär 01 16:11:03 systemd[1]: Started a tool for managing secrets.

Mär 01 16:11:03  vault[1722]: WARNING! Unable to read storage migration status.

Mär 01 16:11:03 vault[1722]: 2019-03-01T16:11:03.777+0100 [WARN]  storage migration check error: error="open /var/lib/vault/core/_migration: permission denied"

Mär 01 16:11:05  vault[1722]: 2019-03-01T16:11:05.778+0100 [WARN]  storage migration check error: error="open /var/lib/vault/core/_migration: permission denied"

Mär 01 16:11:07  vault[1722]: 2019-03-01T16:11:07.778+0100 [WARN]  storage migration check error: error="open /var/lib/vault/core/_migration: permission denied"

root@vault-dev:~# netstat -ntpl

Aktive Internetverbindungen (Nur Server)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      401/rpcbind

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      538/sshd

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      786/exim4

tcp6       0      0 :::111                  :::*                    LISTEN      401/rpcbind

tcp6       0      0 :::22                   :::*                    LISTEN      538/sshd

tcp6       0      0 ::1:25                  :::*                    LISTEN      786/exim4

/etc/systemd/system/vault.service

User=root

Group=vault

[mic...@hashicorp.com]

Mär 01 16:11:03 vault[1722]: 2019-03-01T16:11:03.777+0100 [WARN]  storage migration check error: error="open /var/lib/vault/core/_migration: permission denied"

Looks like there is an permission issue. Vault cannot start without a storage backend.

Also, it might be worth to change the Group to root.

[Thomas....@gmx.de]

I've changed the group to root

and chown root:root to the config dir and /var/lib/vault -> the storage error disappeared but still getting permission denied

Am Freitag, 1. März 2019 14:38:36 UTC+1 schrieb thomas....@gmx.de:

[Nathan Hruby]

Hi,

Is selinux or seccomp enabled on the host that may prevent the binary from binding/opening lower privileged ports?  There may be an audit error in /var/log/secure or /var/log/syslog, depending on your distro.

HTH,

-n

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/11b3db5c-b103-46a9-a563-52425d5aaadb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nathan Hruby

nhr...@hashicorp.com

[Thomas....@gmx.de]

nope, both not in usage

[mic...@hashicorp.com]

Hi Thomas,

it would be really helpful to see the full log output.

It seems like Vault crashes on start but without any log output I cannot really help you here.

Cheers,

Michel