Boundary cluster/worker TLS config with public certs?

Using public certs for the API listener works great.

I’m a little confused by this configuration in the reference implementation boundary-reference-architecture/controller.hcl.tpl at main · hashicorp/boundary-reference-architecture · GitHub

When I tried using these here, the worker could never establish a session.

[ERROR] worker: error making status request to controller: error="rpc error: code = Unavailable desc

Reading through the documentation it appears that the TLS between controller and worker isn’t based on public KPI at all.

Is this a mistake in the reference implementation, or am I otherwise doing something wrong?

I think it’s a mistake in the reference implementation. However, the code should be ignoring any TLS parameters given. Can you confirm that everything is working fine when those TLS parameters are not included, but fail specifically when that one thing is changed?

@malnick can you update the reference implementation?

Can you confirm that everything is working fine when those TLS parameters are not included, but fail specifically when that one thing is changed?

Yes. Worker works fine without key/cert being set but fails if they are set and pointing to valid publicly-issued certs.

API controller works as expected either way: host-generated cert, or publicly issued one work as expected (warning/none respectively)

Hi. Including @jeff also.

Looks like i’m facing almost the same problem. When using a certificate(provided by LetsEncrypt) on my public domain, listener works without problems and by https protocol.

Here’s my config.hcl:

listener “tcp” {
address = “10.0.0.22”
purpose = “api”
tls_cert_file = “/etc/letsencrypt/live/boundary.fncit.com.br/fullchain.pem”
tls_key_file = “/etc/letsencrypt/live/boundary.fncit.com.br/privkey.pem”
}

But attempting to connect through ssh, got this error:
“Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get “https://boundary.fncit.com.br:9200/v1/proxy”: x509: certificate is valid for boundary.fncit.com.br, not s_um472h4cCX” (s_um472h4cCX, wich is the session id).

Can you help me on that question?

I have also this issue on my side and really don’t understand why.
With curl my certificate is totally ok.

Well the worker is upset because it is needs a cert signed by the Boundary internal CA, it won’t validate a public cert. This is a mistake in the reference implementation.

Thanks for the answer.
I’ll try to rethink the setup then !

What’s your configuration? It looks like you’re specifying the API address for the worker’s address, so when it’s sending the worker’s address to the client to dial it’s using the wrong port – I’d expect it to be 9202 above, not 9200.