Receiving EOF error when trying to connect to AWS boundary instance

I built the boundary reference architecture in AWS with no problems. However, when I tried to adapt it to my own architecture and bake it into an ami I started getting this weird problem. I have one controller running successfully with boundary 0.7.4. The database has been initialized, but there are no orgs, scopes, auth-methods, or anything like that created yet.

Whenever I run a command I get this error message:

% boundary scopes list
No saved credential found, continuing without
Error trying to list scopes: error performing client request during List call: Get "http://<REDACTED>:9200/v1/scopes?scope_id=global": EOF

In this case I know I’m not authenticated, but I can run this command against my reference architecture without authenticating as well. I get the same error message when I try to use the recovery key as well, and if I try to use the recovery key to create a scope.

I’ve checked the journal logs on the boundary server and don’t see anything. Is there some way I can turn on more in depth debugging for the server? Are there any client logs I can use?

Does anyone have any idea on where to go from here?

I did some more digging. If I use the -output-curl-string option and run it using curl and skip the boundary client all together I get this error message.

curl: (52) Empty reply from server

When I look in Wireshark I see the client send out the HTTP GET followed by an ACK from the server, but the the server responds immediately with a FIN ACK and terminates the connection without sending any HTTP response back. So the problem is definitely on the server side.

I also upgraded both the server and the client to 0.7.5 and had the same problem.

I’m running a MacOs client and an Ubuntu 20.04.3 server.

Half the problem was caused by trying to connect to an tls enabled endpoint on the controller over HTTP. It worked successfully if I turned off tls or connected to my controller directly via HTTPS with the -tls-insecure option because I have a self signed cert.

That would do it :smiley:

What was the other half?