Changing the cluster to HTTPS does not work
13 views
Skip to first unread message
Stefan Harbich
Feb 1, 2026, 3:44:58 PM (4 days ago) Feb 1
to etcd-dev
Hello,
my cluster is running in HTTP mode without any error messages.
...
root@pveme01:/etc/default# # Health check
etcdctl endpoint health
# List cluster members
etcdctl member list
# Detailed status
etcdctl endpoint status --write-out=table
127.0.0.1:2379 is healthy: successfully committed proposal: took = 1.697377ms
1a73e33e519f66c3, started, sme03.intern.example.com, http://192.168.20.170:2380, http://sme03.intern.example.com:2379, false
42e3e5160eb1a1c6, started, sme02.intern.example.com, http://192.168.20.110:2380, http://sme02.intern.example.com:2379, false
98dbc7dab8368fbb, started, sme01.intern.example.com, http://192.168.20.70:2380, http://sme01.intern.example.com:2379, false
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| 127.0.0.1:2379 | 98dbc7dab8368fbb | 3.5.16 | 143 kB | true | false | 371 | 463 | 463 | |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
etcdctl endpoint health
# List cluster members
etcdctl member list
# Detailed status
etcdctl endpoint status --write-out=table
127.0.0.1:2379 is healthy: successfully committed proposal: took = 1.697377ms
1a73e33e519f66c3, started, sme03.intern.example.com, http://192.168.20.170:2380, http://sme03.intern.example.com:2379, false
42e3e5160eb1a1c6, started, sme02.intern.example.com, http://192.168.20.110:2380, http://sme02.intern.example.com:2379, false
98dbc7dab8368fbb, started, sme01.intern.example.com, http://192.168.20.70:2380, http://sme01.intern.example.com:2379, false
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| 127.0.0.1:2379 | 98dbc7dab8368fbb | 3.5.16 | 143 kB | true | false | 371 | 463 | 463 | |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
...
If I switch the URL to HTTPS with the certificates, the cluster doesn't run correctly.
...
root@pveme01:/etc/default# # Health check
etcdctl endpoint health
# List cluster members
etcdctl member list
# Detailed status
etcdctl endpoint status --write-out=table
127.0.0.1:2379 is healthy: successfully committed proposal: took = 2.058356ms
8e9e05c52164694d, started, pveme01, http://localhost:2380, http://localhost:2379, false
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| 127.0.0.1:2379 | 8e9e05c52164694d | 3.5.16 | 20 kB | true | false | 21 | 58 | 58 | |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
etcdctl endpoint health
# List cluster members
etcdctl member list
# Detailed status
etcdctl endpoint status --write-out=table
127.0.0.1:2379 is healthy: successfully committed proposal: took = 2.058356ms
8e9e05c52164694d, started, pveme01, http://localhost:2380, http://localhost:2379, false
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| 127.0.0.1:2379 | 8e9e05c52164694d | 3.5.16 | 20 kB | true | false | 21 | 58 | 58 | |
+----------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
...
I have a self-signed CA. I tried creating the certificates using several variations of the "Subject Alternative Names". Without success. Some certificates are attached.
Here are my etcd configurations:
...
ETCD_NAME: sme01
ETCD_DATA_DIR: /var/lib/etcd
## ETCDCTL_API: 3
ETCD_DEBUG: 1
ETCD_INITIAL_CLUSTER_STATE: new
# Cluster configuration
ETCD_INITIAL_CLUSTER: sme01=https://sme01.intern.example.com:2380,sme02=https://sme02.intern.example.com:2380,sme03=https://sme03.intern.example.com:2380
## ETCD_INITIAL_CLUSTER: sme01=http://sme01.intern.example.com:2380,sme02=http://sme02.intern.example.com:2380,sme03=http://sme03.intern.example.com:2380
ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
# Listen addresses (0.0.0.0 to accept connections from all interfaces)
ETCD_LISTEN_PEER_URLS: https://0.0.0.0:2380
## ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS: https://0.0.0.0:2379
## ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
# Adverties URLs
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://sme01.intern.example.com:2380
## ETCD_INITIAL_ADVERTISE_PEER_URLS: http://sme01.intern.example.com:2380
ETCD_ADVERTISE_CLIENT_URLS: http://sme01.intern.example.com:2379
ETCD_CERT_FILE: /etc/ssl/etcd/etcd.intern.example.com.crt
ETCD_KEY_FILE: /etc/ssl/etcd/etcd.intern.example.com.key
ETCD_PEER_TRUSTED_CA_FILE: /etc/ssl/etcd/HarbichCA.crt
ETCD_PEER_CERT_FILE: /etc/ssl/etcd/sme01.intern.example.com.crt
ETCD_PEER_KEY_FILE: /etc/ssl/etcd/sme01.intern.example.com.key
ETCD_PEER_CLIENT_CERT_AUTH: 1
----------
ETCD_NAME: sme02
ETCD_DATA_DIR: /var/lib/etcd
## ETCDCTL_API: 3
ETCD_DEBUG: 1
ETCD_INITIAL_CLUSTER_STATE: new
# Cluster configuration
ETCD_INITIAL_CLUSTER: sme01=https://sme01.intern.example.com:2380,sme02=https://sme02.intern.example.com:2380,sme03=https://sme03.intern.example.com:2380
## ETCD_INITIAL_CLUSTER: sme01=http://sme01.intern.example.com:2380,sme02=http://sme02.intern.example.com:2380,sme03=http://sme03.intern.example.com:2380
ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
# Listen addresses (0.0.0.0 to accept connections from all interfaces)
ETCD_LISTEN_PEER_URLS: https://0.0.0.0:2380
## ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS: https://0.0.0.0:2379
## ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
# Adverties URLs
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://sme02.intern.example.com:2380
## ETCD_INITIAL_ADVERTISE_PEER_URLS: http://sme02.intern.example.com:2380
ETCD_ADVERTISE_CLIENT_URLS: http://sme02.intern.example.com:2379
ETCD_CERT_FILE: /etc/ssl/etcd/etcd.intern.example.com.crt
ETCD_KEY_FILE: /etc/ssl/etcd/etcd.intern.example.com.key
ETCD_PEER_TRUSTED_CA_FILE: /etc/ssl/etcd/HarbichCA.crt
ETCD_PEER_CERT_FILE: /etc/ssl/etcd/sme02.intern.example.com.crt
ETCD_PEER_KEY_FILE: /etc/ssl/etcd/sme02.intern.example.com.key
ETCD_PEER_CLIENT_CERT_AUTH: 1
# Tuning
ETCD_HEARTBEAT_INTERVAL="250"
ETCD_ELECTION_TIMEOUT="2500"
----------
ETCD_NAME: sme03
ETCD_DATA_DIR: /var/lib/etcd
## ETCDCTL_API: 3
ETCD_DEBUG: 1
ETCD_INITIAL_CLUSTER_STATE: new
# Cluster configuration
ETCD_INITIAL_CLUSTER: sme01=https://sme01.intern.example.com:2380,sme02=https://sme02.intern.example.com:2380,sme03=https://sme03.intern.example.com:2380
## ETCD_INITIAL_CLUSTER: sme01=http://sme01.intern.example.com:2380,sme02=http://sme02.intern.example.com:2380,sme03=http://sme03.intern.example.com:2380
ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
# Listen addresses (0.0.0.0 to accept connections from all interfaces)
ETCD_LISTEN_PEER_URLS: https://0.0.0.0:2380
## ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS: https://0.0.0.0:2379
## ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
# Adverties URLs
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://sme03.intern.example.com:2380
## ETCD_INITIAL_ADVERTISE_PEER_URLS: http://sme03.intern.example.com:2380
ETCD_ADVERTISE_CLIENT_URLS: http://sme03.intern.example.com:2379
ETCD_CERT_FILE: /etc/ssl/etcd/etcd.intern.example.com.crt
ETCD_KEY_FILE: /etc/ssl/etcd/etcd.intern.example.com.key
ETCD_PEER_TRUSTED_CA_FILE: /etc/ssl/etcd/HarbichCA.crt
ETCD_PEER_CERT_FILE: /etc/ssl/etcd/sme03.intern.example.com.crt
ETCD_PEER_KEY_FILE: /etc/ssl/etcd/sme03.intern.example.com.key
ETCD_PEER_CLIENT_CERT_AUTH: 1
# Tuning
ETCD_HEARTBEAT_INTERVAL="250"
ETCD_ELECTION_TIMEOUT="2500"
ETCD_DATA_DIR: /var/lib/etcd
## ETCDCTL_API: 3
ETCD_DEBUG: 1
ETCD_INITIAL_CLUSTER_STATE: new
# Cluster configuration
ETCD_INITIAL_CLUSTER: sme01=https://sme01.intern.example.com:2380,sme02=https://sme02.intern.example.com:2380,sme03=https://sme03.intern.example.com:2380
## ETCD_INITIAL_CLUSTER: sme01=http://sme01.intern.example.com:2380,sme02=http://sme02.intern.example.com:2380,sme03=http://sme03.intern.example.com:2380
ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
# Listen addresses (0.0.0.0 to accept connections from all interfaces)
ETCD_LISTEN_PEER_URLS: https://0.0.0.0:2380
## ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS: https://0.0.0.0:2379
## ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
# Adverties URLs
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://sme01.intern.example.com:2380
## ETCD_INITIAL_ADVERTISE_PEER_URLS: http://sme01.intern.example.com:2380
ETCD_ADVERTISE_CLIENT_URLS: http://sme01.intern.example.com:2379
ETCD_CERT_FILE: /etc/ssl/etcd/etcd.intern.example.com.crt
ETCD_KEY_FILE: /etc/ssl/etcd/etcd.intern.example.com.key
ETCD_PEER_TRUSTED_CA_FILE: /etc/ssl/etcd/HarbichCA.crt
ETCD_PEER_CERT_FILE: /etc/ssl/etcd/sme01.intern.example.com.crt
ETCD_PEER_KEY_FILE: /etc/ssl/etcd/sme01.intern.example.com.key
ETCD_PEER_CLIENT_CERT_AUTH: 1
----------
ETCD_NAME: sme02
ETCD_DATA_DIR: /var/lib/etcd
## ETCDCTL_API: 3
ETCD_DEBUG: 1
ETCD_INITIAL_CLUSTER_STATE: new
# Cluster configuration
ETCD_INITIAL_CLUSTER: sme01=https://sme01.intern.example.com:2380,sme02=https://sme02.intern.example.com:2380,sme03=https://sme03.intern.example.com:2380
## ETCD_INITIAL_CLUSTER: sme01=http://sme01.intern.example.com:2380,sme02=http://sme02.intern.example.com:2380,sme03=http://sme03.intern.example.com:2380
ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
# Listen addresses (0.0.0.0 to accept connections from all interfaces)
ETCD_LISTEN_PEER_URLS: https://0.0.0.0:2380
## ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS: https://0.0.0.0:2379
## ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
# Adverties URLs
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://sme02.intern.example.com:2380
## ETCD_INITIAL_ADVERTISE_PEER_URLS: http://sme02.intern.example.com:2380
ETCD_ADVERTISE_CLIENT_URLS: http://sme02.intern.example.com:2379
ETCD_CERT_FILE: /etc/ssl/etcd/etcd.intern.example.com.crt
ETCD_KEY_FILE: /etc/ssl/etcd/etcd.intern.example.com.key
ETCD_PEER_TRUSTED_CA_FILE: /etc/ssl/etcd/HarbichCA.crt
ETCD_PEER_CERT_FILE: /etc/ssl/etcd/sme02.intern.example.com.crt
ETCD_PEER_KEY_FILE: /etc/ssl/etcd/sme02.intern.example.com.key
ETCD_PEER_CLIENT_CERT_AUTH: 1
# Tuning
ETCD_HEARTBEAT_INTERVAL="250"
ETCD_ELECTION_TIMEOUT="2500"
----------
ETCD_NAME: sme03
ETCD_DATA_DIR: /var/lib/etcd
## ETCDCTL_API: 3
ETCD_DEBUG: 1
ETCD_INITIAL_CLUSTER_STATE: new
# Cluster configuration
ETCD_INITIAL_CLUSTER: sme01=https://sme01.intern.example.com:2380,sme02=https://sme02.intern.example.com:2380,sme03=https://sme03.intern.example.com:2380
## ETCD_INITIAL_CLUSTER: sme01=http://sme01.intern.example.com:2380,sme02=http://sme02.intern.example.com:2380,sme03=http://sme03.intern.example.com:2380
ETCD_INITIAL_CLUSTER_TOKEN: etcd-cluster
# Listen addresses (0.0.0.0 to accept connections from all interfaces)
ETCD_LISTEN_PEER_URLS: https://0.0.0.0:2380
## ETCD_LISTEN_PEER_URLS: http://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS: https://0.0.0.0:2379
## ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
# Adverties URLs
ETCD_INITIAL_ADVERTISE_PEER_URLS: https://sme03.intern.example.com:2380
## ETCD_INITIAL_ADVERTISE_PEER_URLS: http://sme03.intern.example.com:2380
ETCD_ADVERTISE_CLIENT_URLS: http://sme03.intern.example.com:2379
ETCD_CERT_FILE: /etc/ssl/etcd/etcd.intern.example.com.crt
ETCD_KEY_FILE: /etc/ssl/etcd/etcd.intern.example.com.key
ETCD_PEER_TRUSTED_CA_FILE: /etc/ssl/etcd/HarbichCA.crt
ETCD_PEER_CERT_FILE: /etc/ssl/etcd/sme03.intern.example.com.crt
ETCD_PEER_KEY_FILE: /etc/ssl/etcd/sme03.intern.example.com.key
ETCD_PEER_CLIENT_CERT_AUTH: 1
# Tuning
ETCD_HEARTBEAT_INTERVAL="250"
ETCD_ELECTION_TIMEOUT="2500"
...
What am I doing wrong?
Regards, Stefan Harbich
Regards, Stefan Harbich
Stefan Harbich
Feb 3, 2026, 1:59:27 PM (3 days ago) Feb 3
to etcd-dev
Hello, I was able to solve the problem. Thank you very much for your support.
Reply all
Reply to author
Forward
0 new messages