After recently upgrading my boundary cluster to 0.7.x I began seeing this error on some connection attempts.
iac/dev » boundary connect ssh -target-scope-name testbuild1 -target-name test-node Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://54.x.x.103:9202/v1/proxy": remote error: tls: bad certificate kex_exchange_identification: read: Connection reset by peer Connection reset by 127.0.0.1 port 46813 error fetching connection to send session teardown request to worker: Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://54.x.x.103:9202/v1/proxy": remote error: tls: bad certificate
From my understanding, the handshake between worker and controller should generate a new, valid TLS certificate that the client then validates against the worker’s public_addr
settings as the SNI. Nothing in my configuration has changed other than the version upgrade, the database migration ran without any errors and other worker nodes are still allowing connections via their proxy endpoints without encountering this bad certificate
error.
All workers use this configuration (except the worker name and IP which change):
worker {
name = "boundary worker 01"
description = "boundary worker"
controllers = [
"10.1.20.137"
]
public_addr = "54.x.x.103"
}
listener "tcp" {
address = "10.1.0.104"
purpose = "proxy"
tls_disable = "true"
}
kms "transit" {
purpose = "worker-auth"
address = "https://redacted"
token = "REDACTED"
disable_renewal = "false"
// Key configuration
key_name = "worker-auth"
mount_path = "transit/"
// TLS Configuration
tls_skip_verify = "false"
}
ubuntu@ip-10-1-0-104:~$
and controller config:
controller {
name = "boundary controller"
description = "boundary controller"
database {
url = "postgresql://redacted@localhost:5432/boundary"
}
}
listener "tcp" {
# Should be the address of the NIC that the controller server will be reached on
address = "10.1.20.137"
# The purpose of this listener block
purpose = "api"
tls_disable = "true"
# Data-plane listener configuration block (used for worker coordination)
listener "tcp" {
# Should be the IP of the NIC that the worker will connect on
address = "10.1.20.137"
# The purpose of this listener
purpose = "cluster"
tls_disable = "true"
}
kms "transit" {
purpose = "root"
address = "https://redacted"
token = "REDACTED "
disable_renewal = "false"
// Key configuration
key_name = "root"
mount_path = "transit/"
// TLS Configuration
tls_skip_verify = "false"
}
kms "transit" {
purpose = "worker-auth"
address = "https://redacted"
token = "REDACTED "
disable_renewal = "false"
// Key configuration
key_name = "worker-auth"
mount_path = "transit/"
// TLS Configuration
tls_skip_verify = "false"
}