Does raft require HTTPS?

ftriboix · April 19, 2022, 6:48am

Hello,

I am trying to run a Vault cluster of 5 pods using the official Helm chart. I can provide more details if necessary, but I think at this stage the problem I am experiencing is not Kubernetes-specific.

I don’t want to use TLS, so I disabled/removed all TLS-related configuration options. Looking at the pods’ logs, it seems they can’t manage to talk to each other. All of them report the same messages in their logs:

[INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-2:8200
[WARN]  core: join attempt failed: error="error during raft bootstrap init call: Put \"http://vault-2:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp: lookup vault-2 on 10.96.0.10:53: server misbehaving"

I did some research on this “server misbehaving” error message, but couldn’t find anything on the internet. I suspect that pods expect other pods to talk HTTPS, and aren’t happy when they get a plain HTTP response. Could that be the cause of this “server misbehaving” message?

Thanks for any help! If you require more details (version numbers, configuration, logs, etc.) please ask and I will provide them.

maxb · April 19, 2022, 7:59am

Look more closely at this part of your error message:

The error mentions lookup, an IP address which looks very much like what Kubernetes may have picked for its default in-cluster DNS server, and port 53, the DNS port.

So, the server misbehaving refers to your Kubernetes DNS server, not Vault-to-Vault communication.

ftriboix · April 19, 2022, 8:20am

Hi @maxb ,

Yes, that’s right, thanks for pointing this out! I will have to investigate why the DNS server is “misbehaving”…

Thanks!

aram · April 19, 2022, 9:11am

No RAFT protocol does not require TLS.
I’ll start by saying I’m a kubernetes noob and most likely moving to Nomad for my use cases anyway. That said, sounds like the most likely issue with that message is some garbled data from kubs dns-system. Are you using external-names or service registration? If not you need to statically call out the names of the other nodes in your configuration – most likely is that the names you are using are not getting translated to the right node.

maxb · April 19, 2022, 9:29am

It appears this is the Go DNS client’s rather odd way of expressing “the DNS server sent me an error, but not an error I consider meaningful for this operation”:

github.com

golang/go/blob/a11a885cb567b3797e33733e883c2ba3bdc0e898/src/net/dnsclient_unix.go#L228


      
          
          	if h.RCode != dnsmessage.RCodeSuccess && h.RCode != dnsmessage.RCodeNameError {
          		// None of the error codes make sense
          		// for the query we sent. If we didn't get
          		// a name error and we didn't get success,
          		// the server is behaving incorrectly or
          		// having temporary trouble.
          		if h.RCode == dnsmessage.RCodeServerFailure {
          			return errServerTemporarilyMisbehaving
          		}
          		return errServerMisbehaving
          	}
          
          	return nil
          }
          
          func skipToAnswer(p *dnsmessage.Parser, qtype dnsmessage.Type) error {
          	for {
          		h, err := p.AnswerHeader()
          		if err == dnsmessage.ErrSectionDone {
          			return errNoSuchHost

As a starting point, you might want to exec into a pod within Kubernetes and check whether you’re actually able to resolve “vault-2” there.

Topic		Replies	Views
Vault TLS/ HA raft with gcs bucket issues Vault	0	547	October 6, 2021
HA Vault cluster using Raft integrated storage with TLS enabled Vault k8s , vault	2	798	April 12, 2023
Creating Vault TLS Cluster , operator join issue Vault	1	1694	June 4, 2020
TLS Disabled on Multi-Node Raft Configuration Vault	0	130	January 8, 2024
Standalone Server with TLS with kubernetes 1.19+ Vault	1	884	April 14, 2022

Does raft require HTTPS?

Related topics