Vault UI APIs giving ERR_CONNECTION_RESET Failure after initial success

Question

I am getting all the APIs in UI as success initially and then once i create a new raft cluster I am getting ERR_CONNECTION_RESET for my APIs in UI.

I have my vault server running as docker container in lab environment and trying to access the same from laptop after connecting to VPN. Since there are few API calls going through succesfully, i assume it is not a firewall or VPN issue.

I am able successfully unseal from cli.

My Vauly.hcl file

    cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path = "/path/to/raft/data"
  node_id = "raft_node_id"
}

# Listener on port 8200 (adjust as needed)
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = true  # Disable TLS for development (enable for production)
}

# Enable the UI
ui = true
# Enable userpass authentication (for development purposes)
auth "userpass" {
  type = "userpass"
  users {
    username = "vault_user"
    password = "vault_password"
  }
}

When i try to unseal from Web-UI i get same issues

But i am able to unseal and connect successfully from CLI.

/ # vault operator unseal Vv1qKhQ0So......vsZNLgnSBmwQ
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       f7d8706f-9623-38a0-d454-2c4564749d17
Version            1.13.3
Build Date         2023-06-06T18:12:37Z
Storage Type       raft
HA Enabled         true
/ #

Trail :2

I tried running the vault container latest using below command

 docker pull hashicorp/vault
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 hashicorp/vault server

I am setting the same ERR_CONNECTION_RESET issue only

Answer 1

Since you can unseal Vault from the CLI, the issue is likely not with the Vault server itself but with the network configuration, like a problem with how the Docker container networking is configured regarding the VPN.

                 +-----------------+
                 |   [Laptop]      |
                 |  Vault UI       |
                 +--------|--------+
                          |
+-------------------------|-------------------------+
| [Docker Container]                                |
|  +------------------+        +-----------------+  |
|  |  Vault Server    | <----> |  Vault Storage  |  |
|  |  Listener: 8200  |        |  Raft Protocol  |  |
|  +------------------+        +-----------------+  |
+--------------------------------------------------+

You have configured the listener to bind to 0.0.0.0:8200 and disabled TLS. Make sure there are no conflicts or security policies on your network that may interfere with traffic on this port, especially since you are connecting over a VPN.

The cluster_addr and api_addr are set to 127.0.0.1. That means they are only accessible locally within the container. If you are trying to access the UI from your laptop, these addresses will not be reachable. These should be set to the actual IP address or resolvable hostname of your Docker host within the VPN.

Your Vault configuration could be:

listener "tcp" {
  address     = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable = true  # Should be false in production
}

# The addresses below need to be accessible by all nodes and clients
api_addr = "http://<Docker-Host-IP>:8200"
cluster_addr = "http://<Docker-Host-IP>:8201"

storage "raft" {
  path    = "/vault/data"
  node_id = "node1"
}

Which is:

[Laptop via VPN]
    |
    v
[Docker Host IP] (accessible via VPN)
    |
[Container running Vault]
    | <- Listens on all interfaces 0.0.0.0:8200 (accessible via Docker Host IP)
    |
[Vault Raft Storage] (within the container)