Enabling SSL: Unable to connect to vault, "Wrong version number?"

In this example, I’ve used Vault PKI to generate a Root CA and an Intermediary CA. Then a cert signed for Vault itself.

I’ve posted in detail about this here: SSL: Wrong version number? · Issue #191 · ansible-community/ansible-vault · GitHub

Error from an nginx proxy is:

2021/01/10 16:43:57 [error] 51592#51592: *19 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client:, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "", host: "", referrer: ""

Chrome simply states that it is an SSL error.

This is the vault config:

root@vault1:~# cat /etc/vault.d/vault_main.hcl
cluster_name = "dc1"
max_lease_ttl = "768h"
default_lease_ttl = "768h"

disable_clustering = "False"
cluster_addr = ""
api_addr = ""

plugin_directory = "/usr/local/lib/vault/plugins"

listener "tcp" {
  address = ""
  cluster_address = ""
  tls_cert_file = "/etc/vault/tls/vault_cert.pem"
  tls_key_file = "/etc/vault/tls/vault_key.pem"
  tls_min_version  = "tls12"
  tls_prefer_server_cipher_suites = "false"
  tls_disable = "false"

backend "consul" {
  address = ""
  path = "vault"
  service = "vault"
    scheme = "http"

ui = true

For anyone interested in the Nginx SSL config:

  # SSL Settings

  # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/ssl/certs/dhparam.pem
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # intermediate configuration
  # https://ssl-config.mozilla.org
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_timeout 5m;

Troubleshooting the nginx issue is secondary, at least through chrome, I should be able to connect to vault.

I’ve added the Root CA & Intermediary certs into OSX Keychain. Both were issued by Vault PKI.

Seems this error takes place with the IP is missing in the SAN list.

Please close this thread for now, thanks!