Boundary connect ssh throwing failed to WebSocket dial error

Boundary
1

Hi, I can successfully authenticate myself using the command below.

~ boundary authenticate password -login-name=jeff -password=foofoofoo -auth-method-id=ampw_5Aiqy1zvF5

Authentication information:
  Account ID:      apw_nDkJsApfym
  Auth Method ID:  ampw_5Aiqy1zvF5
  Expiration Time: Wed, 10 Mar 2021 14:49:42 JST
  Token:
  at_p0itAjmn67_s12TzikoWGGZfA4vtNy17Za2jqYPhntRZgSt6fV1daQYReBR5Vmz52jFa5mZdy6kDmmkRerGngNK2RBpyUeuzcGoBTF7YiUohcmyRdngWdRbdT
  User ID:         u_mPihJkaNsc

However, when I try to connect to the target instance using boundary connect ssh -target-id ttcp_bNARIi1qIZ, I get the error below.

Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://boundary.dev.mydomain.cloud:9202/v1/proxy": dial tcp 10.0.16.28:9202: connect: operation timed out
kex_exchange_identification: read: Connection reset by peer

What should I check to handle this problem?

My controller.hcl is as below.

disable_mlock = true

controller {
    name = "kubernetes-controller"
    description = "A controller for a kubernetes demo!"
    database {
        url = "env://BOUNDARY_PG_URL"
    }
    public_cluster_addr = "boundary.boundary.svc.cluster.local:9201"
}

listener "tcp" {
    address = "0.0.0.0"
    purpose = "api"
    tls_disable = true
}
listener "tcp" {
    address = "0.0.0.0"
    purpose = "cluster"
    tls_disable = true
}

kms "aead" {
    purpose = "root"
    aead_type = "aes-gcm"
    key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
    key_id = "global_root"
}
kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}
kms "aead" {
    purpose = "recovery"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_recovery"
}

My worker.hcl is as below.

disable_mlock = true
worker {
    # Name should be unique across workers
    name = "kubernetes-boundary-worker"
    description = "Boundary worker running in k8s"
    controllers = ["boundary.boundary.svc.cluster.local:9201"]
    public_addr = "boundary.dev.mydomain.cloud"
}
listener "tcp" {
    address = "0.0.0.0"
    purpose = "proxy"
    tls_disable = true
}
kms "aead" {
    purpose = "root"
    aead_type = "aes-gcm"
    key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
    key_id = "global_root"
}
kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}
kms "aead" {
    purpose = "recovery"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_recovery"
}

For additional information, I’m using kubernetes as istio. I deployed worker and controller separately on different containers, using one deployment. If there are additional informations I should provide, feel free to ask. Thanks.

2

Flagging as duplicate of Tls: server selected unsupported protocol version 303 error - #2 by malnick

What are you using to ingress to the worker container? Is it istio? If it is istio, I’m not an expert but you may want to make sure websocket upgrades for the connection is something it supports.

3

Hi, I’m using Istio (Envoy), and this seems to be the application problem of not supporting TLS 1.2. I raised an issue at Request for TLS 1.2 · Issue #979 · hashicorp/boundary · GitHub.