Unable to unseal vault with config files

[jumbo007]

Hi

I am following below steps to start and unseal vault for secret storage.

1. Started zookeeper on my local windows setup on 2181 port

2. Created one path "vault" in zookeeper

[zk: localhost:2181(CONNECTED) 0] ls /
[zookeeper, vault]
[zk: localhost:2181(CONNECTED) 1]

3. Created one file vault.conf as:

backend "zookeeper" {
address = "127.0.0.1:2181"
redirect_addr = "http://127.0.0.1:8200"
path = "vault/"
}

listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = true
}

4. Started vault using above configuration file and got below response as:

D:\WORK\KMS>vault server -config=etc\vault.conf
==> WARNING: mlock not supported on this system!

An mlockall(2)-like syscall to prevent memory from being
swapped to disk is not supported on this system. Running
Vault on an mlockall(2) enabled system is much more secure.

==> Vault server configuration:
2018/02/12 12:49:26 Connected to 127.0.0.1:2181

                 Cgo: disabled
     Cluster Address: https://127.0.0.1:8201
          Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
           Log Level: info
               Mlock: supported: false, enabled: false
    Redirect Address: http://127.0.0.1:8200
             Storage: zookeeper (HA available)
             Version: Vault v0.9.0
         Version Sha: bdac1854478538052ba5b7ec9a9ec688d35a3335

==> Vault server started! Log data will stream in below:

2018/02/12 12:49:26 Authenticated: id=99511096385601541, timeout=4000
2018/02/12 12:49:26 Re-submitting 0 credentials after reconnect
2018/02/12 12:49:39.216306 [ERROR] core: failed to read seal configuration: error=zk: invalid path

5. Tried to unseal vault using CLI but got below error:

D:\WORK\KMS>vault unseal
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: http: server gave HTTP response to HTTPS client

On Postman, sending a GET request on "http://127.0.0.1:8200/v1/sys/seal-status" gives below response:

{
"errors": [
"failed to check seal configuration: zk: invalid path"
]
}

What is the correct way to start and unseal vault with zookeeper as storage?

[jumbo007]

On postman sending a GET request on "http://127.0.0.1:8200/v1/sys/unseal" gives below response:

{
"errors": []
}

No error posted on console in this case.

[jumbo007]

Attempt2"

1. hcl file content:

backend "zookeeper" {
address = "127.0.0.1:2181"
redirect_addr = "http://127.0.0.1:8200"
path = "vault/"
}

2. O/P of vault server -config=etc\vault.hcl

D:\WORK\KMS>vault server -config=etc\vault.hcl
==> WARNING: mlock not supported on this system!

An mlockall(2)-like syscall to prevent memory from being
swapped to disk is not supported on this system. Running
Vault on an mlockall(2) enabled system is much more secure.

==> Vault server configuration:

                 Cgo: disabled
     Cluster Address: https://127.0.0.1:8201
           Log Level: info
               Mlock: supported: false, enabled: false
    Redirect Address: http://127.0.0.1:8200
             Storage: zookeeper (HA available)
             Version: Vault v0.9.0

2018/02/12 17:29:07 Connected to 127.0.0.1:2181
Version Sha: bdac185

==> Vault server started! Log data will stream in below:

2018/02/12 17:29:07 Authenticated: id=99512262965067777, timeout=4000
2018/02/12 17:29:07 Re-submitting 0 credentials after reconnect

3. o/p of .... vault init

Error initializing Vault: Put https://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: connectex: No connection could be made because the target machine actively refused it.

Where am I missing the step and how to initialise and unseal vault?

Thanks

[jefferai]

This appears to be a duplicate of #3896 (not identical but caused by similar issues with the underlying library). You may want to try a build from master, or wait for 0.9.4 (or don't use zookeeper).

[jumbo007]

Changed from zookeeper to filesystem storage.

New hcl file:

storage "file" {
path = "D:\WORK\data\"
}

O/P of: vault server -config=config.hcl

D:\WORK\KMS>vault server -config=config.hcl
==> WARNING: mlock not supported on this system!

An mlockall(2)-like syscall to prevent memory from being
swapped to disk is not supported on this system. Running
Vault on an mlockall(2) enabled system is much more secure.

==> Vault server configuration:

                 Cgo: disabled
           Log Level: info
               Mlock: supported: false, enabled: false
             Storage: file
             Version: Vault v0.9.0
         Version Sha: bdac1854478538052ba5b7ec9a9ec688d35a3335

==> Vault server started! Log data will stream in below:

O/P of "vault init"

D:\WORK>vault init
Error initializing Vault: Put https://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: connectex: No connection could be made because the target machine actively refused it.

Tried setting VAULt_ADDR:

D:\WORK>set VAULT_ADDR=http://127.0.0.1:8200

D:\WORK>vault init
Error initializing Vault: Put http://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: connectex: No connection could be made because the target machine actively refused it.

D:\WORK>

No service running on 8200 or 8201 or 8202 port.

[jefferai]

What is the rest of your configuration file? What is the rest of the data displayed at Vault startup?

[dchrislloyd]

I've been hitting this exact same issue trying to run Vault with a Zookeeper backend. My config is practically identical to the one provided by jumbo007 and I got the very same error (e.g. "failed to check seal configuration: zk: invalid path"). This occurs with both windows_386 and windows_amd64 variants, and for all version I tried (0.8.3, 0.9.6 and 0.10.3)

On further investigation, I've found that this issue is isolated to the Windows version of Vault. I launched the Docker version (official Vault image) with the same config file and it works just fine without any error.

[GauravKaushik01]

@dchrislloyd
Thanks, but any suggestion for windows issue?
I am facing the same issue, but when I run the comment below:
$ vault operator init

it says: Error initializing: Put http://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: connectex: No connection could be made because the target machine actively refused it.
Please suggest.

[7thwik]

@AAGJKPRT did you found the solution for the problem in windows ??

[jefferai]

I would guess it's Windows Firewall blocking the port, based on the error message.

You could try telnet-ing into that port too to see if you can connct that way.

[kuppuram]

try adding parameter disable_mlock = false in the config file.

[catsby]

Hello - we haven't heard anything for a few weeks, so I'm going to close this for now. It's not clear to me thus far that this represents a bug in Vault itself. If you have more information on steps to reproduce, please let us know and we can take another look!

Also, for future questions or discussion such as this, please checkout https://discuss.hashicorp.com/c/vault

Thanks!

[sudhir6199]

100% this link will resolve your issue :
https://www.techmanyu.com/hashicorp-vault-setup-on-linux/

[javaHelper]

@sudhir6199 - Your link https://www.techmanyu.com/hashicorp-vault-setup-on-linux/ is no more active. Crazy to see that issue still doesn't alternative solution yet.