Enabling SSL: Unable to connect to vault, "Wrong version number?"

Mike · January 11, 2021, 7:10am

In this example, I’ve used Vault PKI to generate a Root CA and an Intermediary CA. Then a cert signed for Vault itself.

I’ve posted in detail about this here: SSL: Wrong version number? · Issue #191 · ansible-community/ansible-vault · GitHub

Error from an nginx proxy is:

2021/01/10 16:43:57 [error] 51592#51592: *19 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.1.5, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.0.3.57:8200/favicon.ico", host: "10.0.3.63", referrer: "https://10.0.3.63/"

Chrome simply states that it is an SSL error.

This is the vault config:

root@vault1:~# cat /etc/vault.d/vault_main.hcl
cluster_name = "dc1"
max_lease_ttl = "768h"
default_lease_ttl = "768h"

disable_clustering = "False"
cluster_addr = "https://10.0.3.57:8201"
api_addr = "https://10.0.3.57:8200"

plugin_directory = "/usr/local/lib/vault/plugins"

listener "tcp" {
  address = "10.0.3.57:8200"
  cluster_address = "10.0.3.57:8201"
  tls_cert_file = "/etc/vault/tls/vault_cert.pem"
  tls_key_file = "/etc/vault/tls/vault_key.pem"
  tls_client_ca_file="/etc/vault/tls/ca_chain.pem"
  tls_min_version  = "tls12"
  tls_prefer_server_cipher_suites = "false"
  tls_disable = "false"
}

backend "consul" {
  address = "10.0.3.58:8500"
  path = "vault"
  service = "vault"
    scheme = "http"
  }

ui = true

For anyone interested in the Nginx SSL config:

  ##
  # SSL Settings
  ##

  # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/ssl/certs/dhparam.pem
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # intermediate configuration
  # https://ssl-config.mozilla.org
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
  ssl_session_timeout 5m;

Troubleshooting the nginx issue is secondary, at least through chrome, I should be able to connect to vault.

I’ve added the Root CA & Intermediary certs into OSX Keychain. Both were issued by Vault PKI.

Mike · January 11, 2021, 8:31am

Seems this error takes place with the IP is missing in the SAN list.

Please close this thread for now, thanks!