Vault init returns connection refused

Redsmile

unread,

Nov 3, 2016, 3:29:40 PM11/3/16

to Vault

I have given up hope trying everything. Hence posting my question here:

This is my vault config:

backend "postgresql" {

connection_url = "postgres://postgres:mypostgresspassword@localhost:5432/mydatabasename?sslmode=disable"

}

listener "tcp" {

address = "0.0.0.0:8200"

tls_disable = 1

}

disable_mlock = true

I have installed vault and when i do a vault server -config myvault.hcl, i get this:

==> Vault server configuration:

Backend: postgresql

Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "", tls: "disabled")

Log Level: info

Mlock: supported: true, enabled: false

Version: Vault v0.6.2

==> Vault server started! Log data will stream in below:

When i do vault init, i get this:

[vagrant@localhost ~]$ vault init

Error initializing Vault: Put https://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: getsockopt: connection refused

Please help!

Jeff Mitchell

unread,

Nov 3, 2016, 3:44:35 PM11/3/16

to vault...@googlegroups.com

Hi,

It would be a strange error to get for this cause but one definite problem you'll be having there is that you're using an HTTPS Vault address on the client but TLS is disabled. You should use -address or set VAULT_ADDR to fix that.

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ad378dc9-105e-4319-8922-a6713da035ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Redsmile

unread,

Nov 3, 2016, 3:49:03 PM11/3/16

to Vault

I tried adding export VAULT_ADDR and i also tried it in the cmd line but http did not fix it.

[vagrant@localhost ~]$ export VAULT_ADDR=http://127.0.0.1:8200

[vagrant@localhost ~]$ vault init

Error initializing Vault: Put http://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: getsockopt: connection refused

[vagrant@localhost ~]$ vault init -address http://127.0.0.1:8200

Error initializing Vault: Put http://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: getsockopt: connection refused

[vagrant@localhost ~]$

Jeff Mitchell

unread,

Nov 3, 2016, 3:54:56 PM11/3/16

to vault...@googlegroups.com

As a first order I suggest connecting with telnet to verify that it's actually listening on localhost; your system may be doing weird things with 0.0.0.0. You could try just making the listener explicitly set to 127.0.0.1 as well.

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f94b8d7b-8a4e-41e9-89c0-a4cd487d02ed%40googlegroups.com.

Redsmile

unread,

Nov 3, 2016, 4:08:48 PM11/3/16

to Vault

Hi Jeff,

I tried doing a telnet and it says connection refused there:

[vagrant@localhost ~]$ telnet localhost 8200
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

I tried modifying the address as you mentioned but i am still getting connection refused on vault init

listener "tcp" {

address = "127.0.0.1:8200"

tls_disable = 1

}

Do you have any suggestions i can try to get this fixed. Are you saying it's problem with the way the machine is set up? I tried the same on another machine on the corporate network and i got connection refused in that one too.

Jeff Mitchell

unread,

Nov 3, 2016, 4:10:47 PM11/3/16

to vault...@googlegroups.com

What does netstat -tln say?

The server is on the same machine as the client right?

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ebb85b4d-487f-4c5a-9c6c-b807a12bfb5c%40googlegroups.com.

Redsmile

unread,

Nov 3, 2016, 4:18:49 PM11/3/16

to Vault

Yes i am using the same machine for the client and the server.

This is my netstat output:

[vagrant@localhost ~]$ netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:5432 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN

Jeff Mitchell

unread,

Nov 3, 2016, 4:26:55 PM11/3/16

to vault...@googlegroups.com

Vault is, indeed, not listening... it'd be on port 8200.

I'm not sure what to tell you unfortunately. This feels like some issue with your machine or you think you're on the same machine but aren't, or some similar thing.

What happens if you launch the Vault server, Ctrl+Z to put it in the background (or run with &), and run that netstat command within that terminal?

Best,
Jeff

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9786295e-a365-4c70-9feb-4efc8ceb8307%40googlegroups.com.

Redsmile

unread,

Nov 3, 2016, 4:48:18 PM11/3/16

to Vault

The vault init times out after waiting for a long time.

[vagrant@localhost ~]$ vault server -config myvault.hcl

==> Vault server configuration:

Backend: postgresql

Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "", tls: "disabled")

Log Level: info
Mlock: supported: true, enabled: false
Version: Vault v0.6.2

==> Vault server started! Log data will stream in below:

^Z
[1]+ Stopped vault server -config myvault.hcl

[vagrant@localhost ~]$ netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:8200 0.0.0.0:* LISTEN

tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:5432 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN

[vagrant@localhost ~]$ vault init

Error initializing Vault: Put http://127.0.0.1:8200/v1/sys/init: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Jeff Mitchell

unread,

Nov 3, 2016, 5:08:28 PM11/3/16

to vault...@googlegroups.com

OK, so there in your netstat you can see that Vault is listening on
8200. Earlier in your netstat from the client side Vault was not
listening -- there was no port 8200 showing up.

'vault init' timing out there makes sense because the server process
was stopped so could not accept the connection. Note, however, that
it's not saying connection refused.

The only explanation I can think of is that your server and client are
not actually running on the same machine as you think they are.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/7e5db3a9-a1c6-475f-8999-ca35d0ad5482%40googlegroups.com.

Redsmile

unread,

Nov 3, 2016, 5:21:56 PM11/3/16

to Vault

Ok, so if i have to list my steps that i took :

1) install vault from binary

2) Setup vault config

3) execute vault server -config myvault.hcl

4) vault init

I don't understand what you mean by saying client, am i missing something here?

I was of the under the understanding that the first initial steps would be set up the server and then do vault unseal and vault write and go from there, please clarify. Thanks for all the support!

Jeff Mitchell

unread,

Nov 3, 2016, 11:00:17 PM11/3/16

to vault...@googlegroups.com

I'm saying that it seems like steps 3 and 4 are taking place on
different machines, since at step 3 you see Vault's listening socket
and on the other you don't.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/20cf3bb6-aaea-423e-9957-ae4c980604fc%40googlegroups.com.

Redsmile

unread,

Nov 4, 2016, 11:59:49 AM11/4/16

to Vault

Thanks for all the help Jeff, Appreciate it.

For all who are looking for answers, i finally got it working with the following:

vault server -config myvault.hcl -address=http://127.0.0.1:8200 &

vault init -address=http://127.0.0.1:8200

The & and giving the -address did the trick!

Redsmile

unread,

Nov 4, 2016, 5:19:01 PM11/4/16

to Vault

Jeff,

I have got it working end to end with postgresql backend. But i have the following questions for you:

1) In the vagrant VM, when i quit the session, vault server process gets killed. So is there a way to keep the vault server up and running on the Vagrant VM without having to manually execute vault server -config myvault.hcl &

2) Also, export VAULT_ADDR=http://127.0.0.1:8200 has to be entered manually for each session, how do we prevent this?

3) It worked when i ran it with, sslmode=disable in both the vault config and in the postgres vault config, please share the link as to how to set up ssl certs for the same for it to work in production.

4) How do you store the application's database username, passwords in Vault? Where do you store it and how do you access it, please share links to those.