TLS handshake error

stevehorn-wt · October 17, 2020, 7:57pm

Using the below config on 3 Vault Raft cluster servers:

  storage "raft" {
    path    = "C:\\raft"
    node_id = "vault_1"
  }
  listener "tcp" {
    address = "0.0.0.0:8200"
    tls_cert_file="C:\\Vault\\cert.pem"
    tls_key_file="C:\\Vault\\key.pem"
  }
  api_addr = "https://172.24.32.184:8200"
  disable_mlock = true
  cluster_addr = "https://172.24.32.184:8201"
  ui = true

I am able to connect successfully via SSL (curl), but after the server starts up, I get a stream of logs (every second or so) that look like this:

2020-10-17T14:44:00.826-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26080: EOF
2020-10-17T14:44:04.563-0500 [INFO]  http: TLS handshake error from 172.24.32.2:30899: EOF
2020-10-17T14:44:05.822-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26091: EOF
2020-10-17T14:44:09.519-0500 [INFO]  http: TLS handshake error from 172.24.32.2:30919: EOF
2020-10-17T14:44:10.783-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26101: EOF
2020-10-17T14:44:14.494-0500 [INFO]  http: TLS handshake error from 172.24.32.2:30950: EOF
2020-10-17T14:44:15.858-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26110: EOF
2020-10-17T14:44:19.567-0500 [INFO]  http: TLS handshake error from 172.24.32.2:30980: EOF
2020-10-17T14:44:20.815-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26122: EOF
2020-10-17T14:44:24.529-0500 [INFO]  http: TLS handshake error from 172.24.32.2:31024: EOF
2020-10-17T14:44:25.890-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26134: EOF
2020-10-17T14:44:29.500-0500 [INFO]  http: TLS handshake error from 172.24.32.2:31046: EOF
2020-10-17T14:44:30.842-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26144: EOF
2020-10-17T14:44:34.562-0500 [INFO]  http: TLS handshake error from 172.24.32.2:31111: EOF
2020-10-17T14:44:35.830-0500 [INFO]  http: TLS handshake error from 172.24.32.3:26155: EOF

Can anyone help me with what these errors mean, and how I can correct my configuration to eliminate them?

Wolfsrudel · October 17, 2020, 8:05pm

I would suggest setting the address in your listener configuration to the hostname (or ip) the certificate is issued for. Listening on all interfaces could lead to an tls error.

stevehorn-wt · October 20, 2020, 11:19pm

Thanks for the suggestion. When I set listener to the hostname, vault cannot start up and it reports:

c:\Vault>vault.exe server -config vault.hcl -log-level=trace
Error initializing listener of type tcp: listen tcp xxx.xxx.xxx.xxx:8200: bind: The requested address is not valid in its context.

If it matters, I provided the host name as a domain name which is associated to the SSL certificate I am providing to vault. The endpoint is also a load balanced endpoint.

Do I need to set another/different parameter in the listener "tcp" stanza to make this work?

Thanks!

jeroenjacobs79 · October 27, 2020, 12:40pm

I think it’s a different issue actually.

Your config seems correct, but I get the impression something is trying to connect to Vault using a non-TLS connection (regular http, or something totally different even).

martinhristov90 · October 27, 2020, 2:38pm

Hello,

What device does this IP 172.24.32.3 belong to?

stevehorn-wt · October 27, 2020, 5:40pm

That’s a good question and one that eventually led me to the solution. That IP address is of the load balancer. The environment I’m working in is a managed environment by another team (so I didn’t have visibility into it). The load balancer was configured to check the /v1/sys/health endpoint via HTTP, so it was leading to the TLS Handshake error.

Changing the load balancer to use HTTPS corrected the issue in the log.