TLS handshake error

Hi all

My 5cents, I see this pattern when it comes to TLS and has vault behind a load balancer (ALB/NLB for AWS), or K8S LB. This may be similar behaviour for Azure and GCP

  • If you configure vault on TLS (desired for security) and you have an LB at the front, vault expect your traffic and LB health check to be on TLS protocol. The message of TLS handshake error makes sense when your LB tries to do the health check with no TLS configuration.
  • Vault has a good API endpoint for heath check (/sys/v1/health) it will label to listen on HTTP, for a single node is fine; but if your vault server enters on standby (because of a cluster configuration and HA), then “/sys/v1/health” respond will go dormant and then your LB health check error fails

I managed to fix this by configuring my vault cluster using two listeners like below

# TCP Listener main traffic
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/MYPATH/server.crt"
  tls_key_file  = "/MYPATH/server.key"
  tls_disable   = "false"
}

# TCP Listener for NLB healthcheck
listener "tcp" {
  address     = "0.0.0.0:8202"
  tls_disable = "true"
}

As you see above, the first listener is TLS and expect to data traffic from the application via LB to answer on port 8200; the 2nd listener is NonTLS and will use for my LB health check to ping the vault node using port 8202

Of course, make sure the ports 8202/8203 only are expose on the LB only

Feel free to use your own ports as you wish

Hope that help