Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

etcdserver: rejected TLS peer connection error message to client is not helpful #8803

Closed
gyuho opened this issue Nov 1, 2017 · 4 comments
Closed

etcdserver: rejected TLS peer connection error message to client is not helpful #8803

gyuho opened this issue Nov 1, 2017 · 4 comments
Labels
help wanted
Milestone
etcd-v3.4

Comments

@gyuho
Copy link
Contributor

gyuho commented Nov 1, 2017
edited
Loading

Affecting >v3.2.

Might need make this error message more descriptive in etcdserver side.

2017-11-01 16:31:59.764751 I | etcdmain: etcd Version: 3.2.9
2017-11-01 16:31:59.764799 I | etcdmain: Git SHA: f1d7dd8
2017-11-01 16:31:59.764803 I | etcdmain: Go Version: go1.8.4
2017-11-01 16:31:59.764806 I | etcdmain: Go OS/Arch: linux/amd64
2017-11-01 16:31:59.764809 I | etcdmain: setting maximum number of CPUs to 2, total number of available CPUs is 2
2017-11-01 16:31:59.764837 I | embed: peerTLS: cert = /etc/etcdtls/member/peer-tls/peer.crt, key = /etc/etcdtls/member/peer-tls/peer.key, ca = , trusted-ca = /etc/etcdtls/member/peer-tls/peer-ca.crt, client-cert-auth = true
2017-11-01 16:31:59.765511 I | embed: listening for peers on https://0.0.0.0:2380
2017-11-01 16:31:59.765551 I | embed: listening for client requests on 0.0.0.0:2379
2017-11-01 16:31:59.792577 W | etcdserver: could not get cluster response from https://example-0000.example.default.svc:2380: Get https://example-0000.example.default.svc:2380/members: EOF
2017-11-01 16:31:59.798122 C | etcdmain: cannot fetch cluster info from peer urls: could not retrieve cluster information from the given urls

Related

/cc @hongchaodeng
@gyuho gyuho mentioned this issue Nov 1, 2017
Closed
14 tasks
@gyuho gyuho changed the title etcdserver: rejected TLS peer connection error message is not helpful etcdserver: rejected TLS peer connection error message to client is not helpful Nov 1, 2017
@gyuho
Copy link
Contributor Author

gyuho commented Nov 1, 2017

@hongchaodeng Server-side error message when client gets rejected with EOF is

etcdmain: rejected connection from "10.60.8.250:37528" (tls: "10.60.8.250" does not match any of DNSNames [".example.default.svc" ".example.default.svc.cluster.local"] (lookup 250.8.60.10.in-addr.arpa. on 10.63.240.10:53: no such host))

@xiang90 xiang90 added this to the v3.4.0 milestone Nov 27, 2017
@hexfusion
Copy link
Contributor

@gyuho I am going to take a stab at this.

@hexfusion
Copy link
Contributor

@gyuho in this case the rejected connection message is coming from etcdserver/cluster_util.go:getClusterFromRemotePeers.

       resp, err := cc.Get(u + "/members")
        if err != nil {
            if logerr {
                plog.Warningf("could not get cluster response from %s: %v", u, err)
            }   
            continue
        }

The err returned from this is EOF presumably re: golang/go#19874 as you noted above. As far as approach goes should we try to handle the proper error message here or earlier? Would checking for a literal EOF make sense?

@gyuho
Copy link
Contributor Author

gyuho commented Dec 6, 2017

@hexfusion Thanks for looking it up! Yeah seems like EOF is expected when the TLS handshake is failed on the other side (ref. #7687 (comment)). We have TLS handshake failure handler in listener

https://github.com/coreos/etcd/blob/7e0fc6136eb4c5dc3c8c39ff48eb29e87b7158ab/pkg/transport/listener_tls.go#L58-L61

But in this case, cc.Get(u + "/members") is the dialer on the other side, and there's no way to configure handshake failure dialer (unless we have a wrapper around roundtripper, in a similar way we do for listener, but I don't think it's worth since the other peer clearly prints out the error):

https://github.com/coreos/etcd/blob/7e0fc6136eb4c5dc3c8c39ff48eb29e87b7158ab/pkg/transport/transport.go#L26-L42

Closing since there's not much we can do.

@gyuho gyuho closed this as completed Dec 6, 2017
@tkellen tkellen mentioned this issue May 21, 2018
Closed
@johncming johncming mentioned this issue Mar 27, 2019
Closed
@matte21 matte21 mentioned this issue Feb 25, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Milestone
etcd-v3.4
Development

No branches or pull requests
3 participants
@hexfusion @xiang90 @gyuho