Hashicorp Vault Error: Error checking seal status

Question

I am working on generating self-signed certificates with Hashicorp vault and successfully generated the CA certificate, issuing ca, ca-chain and private keys using these links below: Policies, Build Your Certificate. I'm also able to import the resultant .pem which is the combination of the certificate, issuingCa, caChain and privateKey file into a Java keystore successfully with keytool to get a .jks.
So, I start vault successfully using this command vault server -config=config.hcl with the output below:

==> Vault server configuration:

             Api Address: https://test.sammy.com:8200
                     Cgo: disabled
         Cluster Address: https://test.sammy.com:8201
              Listener 1: tcp (addr: "127.0.0.1:9000", cluster address: "127.0.0.1:9001", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
              Listener 2: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.2

==> Vault server started! Log data will stream in below:

2020-06-28T23:37:01.489+0100 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=

using the configuration file config.hcl (shown below) from this StackOverflow question:

backend "inmem" {}

listener "tcp" {
  address = "127.0.0.1:9000"
  tls_disable = 1
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 0
  tls_cert_file = "/Vault/pki_ca_cert_chain.pem"
  tls_key_file = "Vault/vault.key.pem"
}

# Advertise the non-loopback interface
api_addr = "https://test.sammy.com:8200"
cluster_addr = "https://test.sammy.com:8201"

I use this command to expose the server address:export VAULT_ADDR='https://test.sammy.com:8200'.
The issues I've got now are, when I run this command to view the server status vault status, I get the error below:

Error checking seal status: Get https://test.sammy.com:8200/v1/sys/seal-status: dial tcp 45.33.2.79:8200: connect: no route to host

My Spring Boot application picks the truststore file up but throws this exception at runtime: I/O exception (java.net.NoRouteToHostException) caught when processing request to {s}->https://test.sammy.com:8200: No route to host (Host unreachable) or simply, Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable). My bootstrap.yml looks like this

spring:
  application:
    name: hashicorp-spring-app
  cloud:
    vault:
      enabled: true
      host: test.sammy.com
      port: 8200
      scheme: https
      authentication: cert
      ssl:
        trust-store: classpath:vault-truststore.jks
        trust-store-password: somethingsecret

I get a different error when I try to initialize vault using this command:vault operator init

Error initializing: Put https://test.sammy.com:8200/v1/sys/init: dial tcp 45.79.19.196:8200: i/o timeout

I've tried this link to fix it but, I still get the I/O timeout error above. I'm quite sure I've missed something possibly simple and have combed the internet to find a straightforward solution for this but can't seem to find any so please, any help will be appreciated!!!

Answer 1

Your Vault instance listens to the loopback address only, because of this code:

listener "tcp" {
  address = "127.0.0.1:9000"
  tls_disable = 1
}

So you have 2 choices:

1. Run your client locally and set VAULT_ADDR=127.0.0.1:9000 in your environment variables
2. Change your configuration to address = 0.0.0.0:9000 and use standard networking to reach that Vault that listens on all interfaces.

As for api_addr, it is used to tell Vault how to advertise itself to its clients. It is not used for reaching it in the first place. So the value to put there depends on how your clients can reach Vault. For example, it's that address that will be sent to clients who op-out of Vault request forwarding with X-Vault-No-Request-Forwarding: 1.

The cluster_addr parameter is different : it is used by Vault only, never your clients. Vault uses it to reach consensus with Integrated storage, or to replicate with other clusters if you use Vault Enterprise.

Answer 2

Based on the error messages when running 'vault status' it would appear that the FQDN that you are using for the api_addr and cluster_addr is resolving to a public address, 45.33.2.79, which is not routable and likely not to be hosting your vault.

Change your api_addr and cluster_addr to: api_addr = "https://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201"

This should sort both error that you are seeing.