Error tls handshaking connection on client: remote error: tls: internal error

aackerman1 · September 17, 2024, 6:04pm

Hello,
I’m struggling trying to get a new self-managed HCP Boundary Worker up and running.

I looked at [ TLS Handshake Error and Worker Type Change After Upgrading to Version 0.14.3](TLS Handshake Error and Worker Type Change After Upgrading to Version 0.14.3) but it doesn’t seem to address my use-case.

I have an HCP Boundary cluster that I can access from my home network without any issues. I’ve created a Boundary Worker as a Oracle Linux 9 VM, using the boundary-enterprise installation binary. I’ve confirmed both my HCP Cluster and the worker are on version 0.17.1-ent+.

My worker config reads:

###########################################################################
#  HCP Boundary HomeLab Self-Managed Worker Config
###########################################################################
disable_mlock = true
hcp_boundary_cluster_id = "CLUSTER_ID"

#######################################################
# HTTPS Listener
#######################################################
listener "tcp" {
  address = "0.0.0.0:9202"
  purpose = "proxy"
}

# Worker Block to Configure the Worker
worker {
  public_addr = "10.110.42.85"
  auth_storage_path = "/var/lib/boundary/worker"
  controller_generated_activation_token = "CONTROLLER_TOKEN"
  tags {
    type = ["asan","worker"]
    name = ["asan-worker"]
  }
}
# Events (logging) configuration. This
# configures logging for ALL events to both
# stderr and a file at /var/log/boundary/<boundary_use>.log
events {
  audit_enabled       = true
  sysevents_enabled   = true
  observations_enable = true
  sink "stderr" {
    name = "all-events"
    description = "All events sent to stderr"
    event_types = ["*"]
    format = "cloudevents-json"
  }
  sink {
    name = "file-sink"
    description = "All events sent to a file"
    event_types = ["*"]
    format = "cloudevents-json"
    file {
      path = "/var/log/boundary"
      file_name = "ingress-worker.log"
    }
    audit_config {
      audit_filter_overrides {
        sensitive = "redact"
        secret    = "redact"
      }
    }
  }
}

Boundary starts, but my logs read:

Sep 17 17:46:51 asan-worker boundary[1395]: ==> Boundary server configuration:
Sep 17 17:46:51 asan-worker boundary[1395]:                        Cgo: disabled
Sep 17 17:46:51 asan-worker boundary[1395]:                 Listener 1: tcp (addr: "0.0.0.0:9202", max_request_duration: "1m30s", purpose: "proxy")
Sep 17 17:46:51 asan-worker boundary[1395]:                  Log Level: info
Sep 17 17:46:51 asan-worker boundary[1395]:                      Mlock: supported: true, enabled: false
Sep 17 17:46:51 asan-worker boundary[1395]:                    Version: Boundary v0.17.1+ent
Sep 17 17:46:51 asan-worker boundary[1395]:                Version Sha: 3325f6b608c8a3f62437cc7aa219aca9edeb649c
Sep 17 17:46:51 asan-worker boundary[1395]:   Worker Auth Storage Path: /var/lib/boundary/worker
Sep 17 17:46:51 asan-worker boundary[1395]:   Worker Public Proxy Addr: 10.110.42.85:9202
Sep 17 17:46:51 asan-worker boundary[1395]: ==> Boundary server started! Log data will stream in below:
Sep 17 17:46:51 asan-worker boundary[1395]: {"id":"EttfxCxuSq","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).StartControl>
Sep 17 17:46:51 asan-worker boundary[1395]: {"id":"cJGuIvWkNk","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).startAuthRot>
Sep 17 17:46:52 asan-worker boundary[1395]: {"id":"ArXEAtYngA","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.attemptFetch) erro>
Sep 17 17:46:52 asan-worker boundary[1395]: {"id":"KOipcMcLR9","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"error","data":{"error":"worker.(Worker).upstreamDialerFunc: unknown>
Sep 17 17:46:53 asan-worker boundary[1395]: {"id":"uXHngmeiyF","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.attemptFetch) erro>
Sep 17 17:46:53 asan-worker boundary[1395]: {"id":"tgit1vPKXy","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"error","data":{"error":"worker.(Worker).upstreamDialerFunc: unknown>
Sep 17 17:46:55 asan-worker boundary[1395]: {"id":"PzzkvEZ2Tv","source":"https://hashicorp.com/boundary/asan-worker/worker","specversion":"1.0","type":"error","data":{"error":"(nodeenrollment.protocol.attemptFetch) erro>

I’ve made sure my firewall has port 9202 to HCP Cloud is open. I’m able to curl the HCP Boundary url as well and get a successful response.

Any ideas?

Topic		Replies	Views
Tls: bad certificate error from proxy worker when attempting `boundary connect ssh` Boundary	1	336	January 4, 2022
TLS Handshake Error and Worker Type Change After Upgrading to Version 0.14.3 Boundary boundary	8	762	March 7, 2024
Boundary cluster/worker TLS config with public certs? Boundary	7	1515	April 5, 2021
Boundary worker proxy Boundary	2	1021	April 5, 2021
Boundary worker not connecting and getting odd message in log Boundary	14	781	April 4, 2023

Error tls handshaking connection on client: remote error: tls: internal error

Related topics