Install HashiCorp Vault server on Windows platform

0

Hi AWS, I am installing vault server on Amazon Windows 11 platform. The steps I performed so far are:

  1. Install vault executable zip. Unzipped it and store it inside location C:\vault\vault.exe.
  2. Created the configuration file (vault.hcl) and store inside `C:\vault. The code of the HCL file is:
ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "file" {
 path = "/vault/data"
}

listener "tcp" {
 address       = "127.0.0.1:8200"
 tls_disable = true
}

  1. I created Vault Windows service and started it. The commands I ran are:
- sc.exe create Vault binPath="C:\vault\vault.exe agent -config=C:\vault\vault.hcl" displayName="Vault" start=auto
- sc.exe start Vault
- sc.exe query Vault


  1. Ran vault server CLI command vault server -address="https://127.0.0.1:8200" -config="C:\vault\vault.hcl" and got this output:

**`==> Vault server configuration:

Administrative Namespace: Api Address: https://127.0.0.1:8200 Cgo: disabled Cluster Address: https://127.0.0.1:8201 Environment Variables: ALLUSERSPROFILE, APPDATA, AWS Copilot, COMPUTERNAME, ChocolateyInstall, ChocolateyLastPathUpdate, ComSpec, CommonProgramFiles, CommonProgramFiles(x86), CommonProgramW6432, DriverData, GIT_LFS_PATH, GOPATH, HOMEDRIVE, HOMEPATH, LOCALAPPDATA, LOGONSERVER, NUMBER_OF_PROCESSORS, OPENSSL_CONF, OS, OneDrive, OneDriveConsumer, OnlineServices, PATHEXT, PROCESSOR_ARCHITECTURE, PROCESSOR_IDENTIFIER, PROCESSOR_LEVEL, PROCESSOR_REVISION, PSModulePath, PUBLIC, Path, ProgramData, ProgramFiles, ProgramFiles(x86), ProgramW6432, RegionCode, SystemDrive, SystemRoot, TEMP, TMP, USERDOMAIN, USERDOMAIN_ROAMINGPROFILE, USERNAME, USERPROFILE, VAULT_ADDR, VAULT_SKIP_VERIFY, VBOX_MSI_INSTALL_PATH, platformcode, windir Go Version: go1.22.5 Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", disable_request_limiter: "false", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: Mlock: supported: false, enabled: false Recovery Mode: false Storage: file Version: Vault v1.17.3, built 2024-08-06T14:28:45Z Version Sha: c91c85442144e1228c02123fc4b19337f7d52700

==> Vault server started! Log data will stream in below:

2024-08-28T22:16:33.942+0530 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy="" 2024-08-28T22:16:33.945+0530 [INFO] incrementing seal generation: generation=1 2024-08-28T22:16:33.946+0530 [INFO] core: Initializing version history cache for core 2024-08-28T22:16:33.946+0530 [INFO] events: Starting event system ** 5. Then I explicitly set this environment variable using Windows PowerShell, i.e. $Env:VAULT_ADDR='https://127.0.0.1:8200'`

  1. When I ran vault status, I got this error:

Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client

  1. I further ran vault operator diagnose -config="C:\vault\vault.hcl" command and got this output:

**`Vault v1.17.3 (c91c85442144e1228c02123fc4b19337f7d52700), built 2024-08-06T14:28:45Z

Results: [ failure ] Vault Diagnose: HCP link check will not run on OSS Vault. [ success ] Check Operating System [ success ] Check Disk Usage: C: usage ok. [ success ] Parse Configuration [ warning ] Check Telemetry: Telemetry is using default configuration By default only Prometheus and JSON metrics are available. Ignore this warning if you are using telemetry or are using these metrics and are satisfied with the default retention time and gauge period. [ success ] Check Storage [ success ] Create Storage Backend [ success ] Check Storage Access [ success ] Determine Redirect Address [ success ] Check Cluster Address: Cluster address is logically valid and can be found. [ success ] Create Core Configuration [ success ] Initialize Randomness for Core [ success ] HA Storage [ skipped ] Check HA Consul Direct Storage Access: No HA storage stanza is configured. [ success ] Create HA Storage Backend [ success ] Check Core Creation [ skipped ] Check Service Discovery: No service registration configured. [ success ] Create Vault Server Configuration Seals [ skipped ] Check Transit Seal TLS: No transit seal found in seal configuration. [ skipped ] Check For Autoloaded License: License check will not run on OSS Vault. [ failure ] Start Listeners [ warning ] Check Listener TLS: Listener at address 127.0.0.1:8200: TLS is disabled in a listener config stanza. [ failure ] Create Listeners: Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted. [ success ] Check Server Before Runtime [ success ] Finalize Shamir Seal [ skipped ] Check Autounseal Encryption: Skipping barrier encryption test. Only supported for auto-unseal. `**

In order to troubleshoot it, I ran this command netstat -ano | findstr :8200 and kill the processes using the same port but I am still experiencing the error. There are no logs collected as well.

Please acknowledge and help me out as I have spent whole day long and still not able to install vault server successfully and I also didn't find a suitable document for configuring vault server on Windows platform.

profile picture
asked a month ago66 views
1 Answer
0

The error message bind: Only one usage of each socket address (protocol/network address/port) is normally permitted suggests that the port 8200 is already being used by another process.

Solution:

Run netstat -ano | findstr :8200 to check which process is using port 8200. Kill the process using this port by running taskkill /PID <PID> /F where <PID> is the process ID from the netstat command. Restart the Vault service using sc.exe start Vault

The error http: server gave HTTP response to HTTPS client indicates a mismatch between the expected protocol (HTTP vs. HTTPS). Solution: Update your Vault configuration to either disable TLS (using HTTP) or enable TLS (using HTTPS). Since your current configuration has tls_disable = true, ensure that you're accessing the server over http://127.0.0.1:8200 instead of https://127.0.0.1:8200.

Update the environment variable accordingly

$Env:VAULT_ADDR='http://127.0.0.1:8200'

Then try running vault status again.

Ensure that no other services are running on port 8200. If you still encounter issues, you might need to change the port in the vault.hcl configuration:

listener "tcp" {
  address       = "127.0.0.1:8201"  # Use a different port here
  tls_disable   = true
}

Make sure the storage path /vault/data exists and is writable by the service.

Ensure that the Vault service is correctly set up with the right path to the executable and configuration file:

sc.exe create Vault binPath="C:\vault\vault.exe server -config=C:\vault\vault.hcl" displayName="Vault" start=auto

Check if Vault has any log files being generated in the C:\vault directory. You can also redirect logs by modifying the service creation command:

sc.exe create Vault binPath="C:\vault\vault.exe server -config=C:\vault\vault.hcl > C:\vault\vault.log 2>&1" displayName="Vault" start=auto

profile pictureAWS
EXPERT
Deeksha
answered a month ago
  • I have performed all the troubleshooting steps you provided above and when I ran this command vault server -config="C:\vault\vault.hcl", I got this error:

    Error parsing listener configuration.
    Error initializing listener of type tcp: listen tcp 127.0.0.1:8202: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted.
    2024-08-29T12:47:42.615+0530 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
    2024-08-29T12:47:42.615+0530 [INFO]  incrementing seal generation: generation=1
    2024-08-29T12:47:42.615+0530 [INFO]  core: Initializing version history cache for core
    2024-08-29T12:47:42.615+0530 [INFO]  events: Starting event system
    

    Here is the updated vault.hcl:

    ui            = true
    cluster_addr  = "http://127.0.0.1:8201"
    api_addr      = "http://127.0.0.1:8200"
    disable_mlock = true
    
    storage "file" {
      path = "/vault/data"
    }
    
    listener "tcp" {
      address       = "127.0.0.1:8202"
      tls_disable = true
    }
    

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions