添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
闷骚的香烟  ·  Docker | 容器配置静态 IP - ...·  4 天前    · 
睿智的甜瓜  ·  Dockerfile 和 Windows ...·  7 小时前    · 
含蓄的消炎药  ·  CMD | Docker·  7 小时前    · 
帅气的黑框眼镜  ·  Dockerfile的编写 | ...·  7 小时前    · 
谦虚好学的刺猬  ·  Dockerfile 对 GitHub ...·  7 小时前    · 
豪气的墨镜  ·  3个学科入选第二轮“双一流”,我校事业发展迈 ...·  2 周前    · 
风流的手术刀  ·  娱乐春秋番外篇未央宫txt(姬叉)_第七百四 ...·  3 月前    · 
任性的便当  ·  OCR 技术如何促进 PDF ...·  5 月前    · 
风流倜傥的烈酒  ·  浅谈 10G GPON 技术-瑞吉联·  6 月前    · 
面冷心慈的帽子  ·  Amazon.com·  6 月前    · 
link管理  ›  Hashicorp Vault : “ Error initializing listener of type tcp: error loading TLS cert ” Where is my mi
tls docker
https://discuss.hashicorp.com/t/hashicorp-vault-error-initializing-listener-of-type-tcp-error-loading-tls-cert-where-is-my-mistake/17533
细心的泡面
2 月前

I try to run Vault with docker-compose on Virtual machine ubuntu 20.04 ( ip : 192.168.56.9 ). Without the https, already works fine, but when I try to put vault in https with self-signed certificat from openssl, it doesn’t works.

Here my configurations :

docker-compose.yml : 

version: '3.6'
services:
  vault:
    build:
      context: ./vault
      dockerfile: Dockerfile
    ports:
      - 8200:8200
    volumes:
      - ./vault/config:/vault/config
      - ./vault/policies:/vault/policies
      - ./vault/data:/vault/data
      - ./vault/logs:/vault/logs
      - ./vault/volume_test/:/vault/volume_test
    environment:
      - VAULT_ADDR=http://192.168.56.9:8200
    command: server -config=/vault/config/vault-config.conf
    cap_add:
      - IPC_LOCK

Dockerfile :


# base image
FROM alpine:3.7
# set vault version
ENV VAULT_VERSION 0.10.3
# create a new directory
RUN mkdir /vault
# download dependencies
RUN apk --no-cache add \
      bash \
      ca-certificates \
# download and set up vault
RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
    unzip /tmp/vault.zip -d /vault && \
    rm -f /tmp/vault.zip && \
    chmod +x /vault
# update PATH
ENV PATH="PATH=$PATH:$PWD/vault"
# add the config file
COPY ./config/vault-config.conf /vault/config/vault-config.conf
# expose port 8200
EXPOSE 8200
# run vault
ENTRYPOINT ["vault"]

My vault-config.conf :


backend "file" {
  path = "vault/data"
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = false
  tls_cert_file = "/home/xxx/Vault-Docker/domain.crt"
  tls_key_file = "/home/xxx/Vault-Docker/domain.key"
#api_addr = "http://192.168.56.9:8200"
disable_mlock = true
ui = true

How I create my .crt and my .key :


Create a cert.conf file in /home/xxx/Vault-Docker/ :


[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.56.9
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.56.9

And excute in /home/xxx/Vault-Docker/ :


openssl req -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config cert.conf

But when I run :


docker-compose up -d --build

Then :


docker logs vault-docker_vault_1 

The output is :


Error initializing listener of type tcp: error loading TLS cert: open /home/xxx/Vault-Docker/domain.crt: no such file or directory

Someone to tell me where is my error ?


Thanks a lot !

              
Hello @Wolfsrudel


Thanks for the answer. I didn’t know that I had to copy/mount my certificates into my container… I’m beginner with Vault and docker.


So how do I proceed ? First I create my .key and my .csr and I can put them in a volume such as my " volume_test " ? Then when I run my docker-compose, my container will be set up with my volume “volume_test” with the .key and  the .csr on it ?


thanks for the help !

              
Hello @Wolfsrudel


I try to understand where are my mistakes.


So I try to run Vault with the https like that :


vault.hcl file :


backend "file" {
  path = "/var/lib/vault"
api_addr = "https://192.168.56.9:443"
ui = true
disable_mlock = true
listener "tcp" {
  address       = "192.168.56.9:443"
  tls_cert_file = "/home/tim/Vault-Docker/domain.crt"
  tls_key_file  = "/home/tim/Vault-Docker/domain.key"
  tls_disable   = 0

Then I run vault server -config vault.hcl and I try to see if the https://192.168.56.9 is enabled, I’ve a message from firefox about the fact that my certificate is not sur because self-signed and I’ve this message :


Vault UI is not available in this binary.
To get Vault UI do one of the following:
    Download an official release
    Run make bin to create your own release binaries.
    Run make dev-ui to create a development binary with the UI. 

Can you explain to me why I have not the ui ?


I will try with docker-compose when I will able to do it with this way !


Thanks a lot !

              
General question: Is there a reason why you built the image yourself and not the official one from Docker hub? Your problem may then be solved. I’ve seen the error message with the binary before, but first have to see what it was.


EDIT:
 
推荐文章
闷骚的香烟  ·  Docker | 容器配置静态 IP - ijayer
4 天前
睿智的甜瓜  ·  Dockerfile 和 Windows 容器 | Microsoft Learn
7 小时前
含蓄的消炎药  ·  CMD | Docker
7 小时前
帅气的黑框眼镜  ·  Dockerfile的编写 | blueyi's notes
7 小时前
谦虚好学的刺猬  ·  Dockerfile 对 GitHub Actions 的支持 - GitHub Enterprise Server 3.16 Docs
7 小时前
豪气的墨镜  ·  3个学科入选第二轮“双一流”,我校事业发展迈上新台阶
2 周前
风流的手术刀  ·  娱乐春秋番外篇未央宫txt(姬叉)_第七百四十九章 所谓邪煞_章节免费阅读无弹窗-坏蛋小说
3 月前
任性的便当  ·  OCR 技术如何促进 PDF 文档的数字化转型 | ABBYY Blog
5 月前
风流倜傥的烈酒  ·  浅谈 10G GPON 技术-瑞吉联
6 月前
面冷心慈的帽子  ·  Amazon.com
6 月前
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
link管理 - 链接快照平台