Reputation: 702
etcdctl with TLS fails, curl succeeds
I have a single etcd server running in a docker container implementing an etcd cluster of size one. It's initialized via the discovery service. All is well when I use unsecured connections. However, when I switch to TLS secured communications as described here etcdctl fails to work. However, cli curl commands work fine.
Here's an example accessing etcd via etcdctl from a container using TLS with self signed certificates. Using the openssl client I can verify my TLS comms...
# openssl s_client -connect 172.17.42.1:2379 -cert /etc/ssl/infra/cert.pem -key /etc/ssl/infra/key.pem -CAfile /etc/ssl/infra/ca.pem -tls1
CONNECTED(00000003)
depth=1 C = GB, O = acme.net, OU = Some Services, L = London, ST = England, CN = Ecme CA
verify return:1
depth=0 O = autogenerated, OU = etcd cluster, L = the internet, CN = etcd
verify return:1
---
Certificate chain
0 s:/O=autogenerated/OU=etcd cluster/L=the internet/CN=etcd
i:/C=GB/O=acme.net/OU=Some Services/L=London/ST=England/CN=Acme CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlzCCAoGgAwIBAgIIYf3y1uiPRu8wCwYJKoZIhvcNAQELMH0xCzAJBgNVBAYT
AkdCMRUwEwYDVQQKEwxVbmJsb2Nrci5uZXQxHjAcBgNVBAsTFUdlbyBMb2NhdGlv
....
but trying to use etcdctl to do a member list
root@2aff45e6c288:/# etcdctl --debug -C https://172.17.42.1:2379 --ca-file /etc/ssl/infra/ca.pem --cert-file /etc/ssl/infra/cert.pem --key-file /etc/ssl/infra/key.pem member list
start to sync cluster using endpoints(https://172.17.42.1:2379)
cURL Command: curl -X GET https://172.17.42.1:2379/v2/members
got endpoints(https://1.2.3.4:2379) after sync
Cluster-Endpoints: https://1.2.3.4:2379
cURL Command: curl -X GET https://1.2.3.4:2379/v2/members
client: etcd cluster is unavailable or misconfigured
so something is borked (although it seems to have talked to the etcd cluster and found the member (just one)
A simple curl command works as I expect
root@2aff45e6c288:/# curl --cacert /etc/ssl/infra/ca.pem --cert /etc/ssl/infra/cert.pem --key /etc/ssl/infra/key.pem -X GET https://172.17.42.1:2379/v2/members
{"members":[{"id":"2b3b4588bc2bae1e","name":"default","peerURLs":["http://1.2.3.4:2380"],"clientURLs":["https://1.2.3.4:2379"]}]}
I'm at a loss as to what to do next. etcd and etcdctl are both v 2.0.9
Upvotes: 1
Views: 2595
Answers (1)
Reputation: 702
I resolved this myself - my TLS certs were incorrect. What was confusing me was that etcdctl makes two requests to the cluster, whereas curl makes just one. Etcdctl queries the cluster members using the address supplied as -C to discover advertised endpoints, then makes a second request against one of the returned addresses for the requested data. Curl just queries the address given for the data (fairly obviously). My certificate was invalid for the advertised endpoint (i,.e. 1.2.3.4 used above). Using curl to verify an etcd cluster is therefore not very reliable.
Upvotes: 1
Related Questions
- CURL showing "No required SSL certificate was sent" eve
- error "remote error: tls: bad certificate", ServerName ""
- How to fix etcd cluster "error "tls: first record does not look like a TLS handshake""
- Errors when using etcdctl on Kubernetes cluster: "certificates signed by unknown authority"
- curl by default should use tls1.2 not tls1.3
- etcdctl: command not found
- How to use etcdctl without supplying certificates
- libcurl HTTPS redirect triggers electric-fence error
- CoreOS etcd with TLS: unit fails but no reason in logs
- Unable to setup kubernetes against tls secured etcd