Etcd: ETCDCTL TLS/SSL

Created on 5 Jul 2016  路  5Comments  路  Source: etcd-io/etcd

I have the following in my cloud config after successfully deploying TLS/SSL for ETCD:

  - path: /etc/environment
    permissions: 0644
    content: |
      ETCDCTL_CA_FILE=/home/core/.ssl/certs/ca-cert.pem
      ETCDCTL_CERT_FILE=/home/core/.ssl/certs/cert.pem
      ETCDCTL_KEY_FILE=/home/core/.ssl/certs/key.pem
      ETCDCTL_ENDPOINT=https://127.0.0.1:4001

But still I have to provide ETCD client the following:

etcdctl --endpoint=https://127.0.0.1:4001 --ca-file=ca.pem --cert-file=cert.pem --key-file=key.pem --no-sync cluster-health

or I get the following error:

cluster may be unhealthy: failed to list members
Error:  client: etcd cluster is unavailable or misconfigured
error #0: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
error #1: dial tcp 127.0.0.1:2379: getsockopt: connection refused

It appears the environment variables for core user aren't being set.

picture vmatekole

Most helpful comment

Specifically, this is the correct method: 

 - path: /etc/profile.d/01-etcd.sh
    permissions: 0644
    owner: root
    content: |
      export ETCDCTL_CA_FILE=/home/core/.ssl/certs/ca-cert.pem
      export ETCDCTL_CERT_FILE=/home/core/.ssl/certs/cert.pem
      export ETCDCTL_KEY_FILE=/home/core/.ssl/certs/key.pem
      export ETCDCTL_ENDPOINT=https://127.0.0.1:4001
picture vmatekole on 8 Jul 2016
👍4

All 5 comments

I do not quite understand this issue. Did you set the environment variable for the user that ran the etcdctl command? I suspect that the environment variable is not set correctly.

Can you try

ETCDCTL_ENDPOINT=https://127.0.0.1:4001 [other envs] ./etcdctl --endpoint=...
xiang90 picture xiang90 on 5 Jul 2016

@xiang90 what is the recommended way of having environment variables permanently set for a users session in CoreOS.

most solutions I have seen recommend this, is there an alternative - http://stackoverflow.com/questions/30596866/how-can-i-customize-bashrc-bash-profile-or-profile-on-a-coreos-installation

vmatekole picture vmatekole on 8 Jul 2016

@vmatekole If it is a CoreOS related question, you should open an issue here https://github.com/coreos/bugs/issues. There are more eyes and experts watching that repo. It would also make the issue more searchable for future reference.

xiang90 picture xiang90 on 8 Jul 2016

@xiang90 Thanks for the tip but I think I found the answer - https://github.com/wiliamsouza/marlito/blob/develop/user-data.sample#L36-L42

vmatekole picture vmatekole on 8 Jul 2016

Specifically, this is the correct method: 

 - path: /etc/profile.d/01-etcd.sh
    permissions: 0644
    owner: root
    content: |
      export ETCDCTL_CA_FILE=/home/core/.ssl/certs/ca-cert.pem
      export ETCDCTL_CERT_FILE=/home/core/.ssl/certs/cert.pem
      export ETCDCTL_KEY_FILE=/home/core/.ssl/certs/key.pem
      export ETCDCTL_ENDPOINT=https://127.0.0.1:4001
vmatekole picture vmatekole on 8 Jul 2016
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

olalonde picture olalonde  路  4Comments
gek0 picture gek0  路  3Comments
cheyang picture cheyang  路  3Comments
ramanala picture ramanala  路  4Comments
govine picture govine  路  3Comments