TLS handshake error from 127.0.0.1:56958: tls: first record does not look like a TLS handshake
7,177 views
Skip to first unread message
Andy Lee
Jul 14, 2015, 7:37:14 PM7/14/15
to vault...@googlegroups.com
Hi there,
I'm having some trouble calling the HTTP API and was wondering what the issue was.
My vault.conf
backend "file" {
path = "$HOME/vault"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/pki/tls/certs/vault.crt"
tls_key_file = "/etc/pki/tls/private/vault.key"
}
# vault version
Vault v0.2.0-dev (70b330b8ac1d096ec2bde4ff892a3c2d9942668f)
When I run
# curl -XGET localhost:8200/v1/sys/health
I get
http: TLS handshake error from 127.0.0.1:57040: tls: first record does not look like a TLS handshake
I also made sure the vault was already unsealed.
# vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
What could be the problem?
Armon Dadgar
Jul 14, 2015, 8:31:57 PM7/14/15
to vault...@googlegroups.com, Andy Lee
Hey Andy,
You have configured Vault to listen using TLS (HTTPS), but you are attempting to connect to it using HTTP.
If you change your curl statement to “curl -XGET https://localhost:8200/v1/sys/health” it should work!
Best Regards,
Armon Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/69527718-dbc0-40eb-9c22-f8adaaecfc85%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Andy Lee
Jul 15, 2015, 12:20:05 AM7/15/15
to vault...@googlegroups.com, andy....@gmail.com
Hi Armon,
Thanks for the reply.
I tried using https too and it gave me this.
# curl -XGET https://localhost:8200/v1/sys/health
curl: (35) SSL connect error
vault log
http: TLS handshake error from 127.0.0.1:60481: tls: client offered an unsupported, maximum protocol version of 300
On Tuesday, July 14, 2015 at 5:31:57 PM UTC-7, Armon Dadgar wrote:
Hey Andy,You have configured Vault to listen using TLS (HTTPS), but you are attempting to connect to it using HTTP.If you change your curl statement to “curl -XGET https://localhost:8200/v1/sys/health” it should work!Best Regards,Armon Dadgar
Armon Dadgar
Jul 15, 2015, 12:38:04 AM7/15/15
to vault...@googlegroups.com, Andy Lee, andy....@gmail.com
Hey Andy,
This error means curl is using SSL 3.0 / TLS 1.0. Vault requires that clients
use TLS 1.2. You need to update the versions of OpenSSL / curl that you are using.
Hope that helps!
Best Regards,
Armon Dadgar
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/650d0042-66f5-4bbc-b46b-c6e266086a7d%40googlegroups.com.
Andy Lee
Jul 16, 2015, 4:52:04 PM7/16/15
to vault...@googlegroups.com, andy....@gmail.com
I was able to get around this in my environment by building a custom build that lowered the minimum TLS version to 1.0.
On Tuesday, July 14, 2015 at 9:38:04 PM UTC-7, Armon Dadgar wrote:
Hey Andy,
This error means curl is using SSL 3.0 / TLS 1.0. Vault requires that clientsuse TLS 1.2. You need to update the versions of OpenSSL / curl that you are using.Hope that helps!Best Regards,Armon Dadgar
Reply all
Reply to author
Forward
0 new messages