Jul 11 04:44:39 etcd1 etcd[23500]: rejected connection from "192.168.3.169:46556" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 04:44:39 etcd1 etcd[23500]: rejected connection from "192.168.3.169:46560" (error "tls: oversized record received with length 21536", ServerName "")

HI @dangxiaojun can you please provide the startup logs for these etcd instances. These errors above indicate that the traffic is not actually HTTPS but HTTP. Perhaps the startup snippet will give us some clues otherwise maybe some kind of proxy issue?.

Also, can you output etcd --version

[root@etcd1 ~]# etcd --version
etcd Version: 3.3.8
Git SHA: 33245c6b5
Go Version: go1.9.7
Go OS/Arch: linux/amd64

This is startup logs
```
Jul 11 08:13:19 localhost systemd: Started Etcd Server.
Jul 11 08:13:19 localhost systemd: Starting Etcd Server...
Jul 11 08:13:19 localhost journal: Suppressed 96 messages from /system.slice/etcd.service
Jul 11 08:13:19 localhost etcd: etcd Version: 3.3.8
Jul 11 08:13:19 localhost etcd: Git SHA: 33245c6b5
Jul 11 08:13:19 localhost etcd: Go Version: go1.9.7
Jul 11 08:13:19 localhost etcd: Go OS/Arch: linux/amd64
Jul 11 08:13:19 localhost etcd: setting maximum number of CPUs to 1, total number of available CPUs is 1
Jul 11 08:13:19 localhost etcd: found invalid file/dir fixtures under data dir /var/lib/etcd (Ignore this if you are upgrading etcd)
Jul 11 08:13:19 localhost etcd: the server is already initialized as member before, starting as etcd member...
Jul 11 08:13:19 localhost etcd: peerTLS: cert = /etc/kubernetes/ssl/kubernetes.pem, key = /etc/kubernetes/ssl/kubernetes-key.pem, ca = , trusted-ca = /etc/kubernetes/ssl/ca.pem, client-cert-auth = true, crl-file =
Jul 11 08:13:19 localhost etcd: listening for peers on https://192.168.3.162:2380
Jul 11 08:13:19 localhost etcd: listening for client requests on 127.0.0.1:2379
Jul 11 08:13:19 localhost etcd: listening for client requests on 192.168.3.162:2379
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39678" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: name = etcd1
Jul 11 08:13:19 localhost etcd: data dir = /var/lib/etcd
Jul 11 08:13:19 localhost etcd: member dir = /var/lib/etcd/member
Jul 11 08:13:19 localhost etcd: heartbeat = 100ms
Jul 11 08:13:19 localhost etcd: election = 1000ms
Jul 11 08:13:19 localhost etcd: snapshot count = 100000
Jul 11 08:13:19 localhost etcd: advertise client URLs = https://192.168.3.162:2379
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39676" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54700" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54698" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: restarting member bab1199d24d460ee in cluster 31b7399b4ff27c46 at commit index 20240
Jul 11 08:13:19 localhost etcd: bab1199d24d460ee became follower at term 2698
Jul 11 08:13:19 localhost etcd: newRaft bab1199d24d460ee [peers: [], term: 2698, commit: 20240, applied: 0, lastindex: 20240, lastterm: 2334]
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39686" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39684" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: restore compact to 14417
Jul 11 08:13:19 localhost etcd: simple token is not cryptographically signed
Jul 11 08:13:19 localhost etcd: starting server... [version: 3.3.8, cluster version: to_be_decided]
Jul 11 08:13:19 localhost etcd: ClientTLS: cert = /etc/kubernetes/ssl/kubernetes.pem, key = /etc/kubernetes/ssl/kubernetes-key.pem, ca = , trusted-ca = /etc/kubernetes/ssl/ca.pem, client-cert-auth = true, crl-file =
Jul 11 08:13:19 localhost etcd: added member e3b08f0ab9f3fe8 [http://192.168.3.169:2380] to cluster 31b7399b4ff27c46
Jul 11 08:13:19 localhost etcd: starting peer e3b08f0ab9f3fe8...
Jul 11 08:13:19 localhost etcd: started HTTP pipelining with peer e3b08f0ab9f3fe8
Jul 11 08:13:19 localhost etcd: started peer e3b08f0ab9f3fe8
Jul 11 08:13:19 localhost etcd: added peer e3b08f0ab9f3fe8
Jul 11 08:13:19 localhost etcd: added member 341f2c77ffb24eef [http://192.168.3.168:2380] to cluster 31b7399b4ff27c46
Jul 11 08:13:19 localhost etcd: starting peer 341f2c77ffb24eef...
Jul 11 08:13:19 localhost etcd: started HTTP pipelining with peer 341f2c77ffb24eef
Jul 11 08:13:19 localhost etcd: started peer 341f2c77ffb24eef
Jul 11 08:13:19 localhost etcd: added peer 341f2c77ffb24eef
Jul 11 08:13:19 localhost etcd: started streaming with peer e3b08f0ab9f3fe8 (writer)
Jul 11 08:13:19 localhost etcd: started streaming with peer e3b08f0ab9f3fe8 (writer)
Jul 11 08:13:19 localhost etcd: started streaming with peer e3b08f0ab9f3fe8 (stream MsgApp v2 reader)
Jul 11 08:13:19 localhost etcd: started streaming with peer e3b08f0ab9f3fe8 (stream Message reader)
Jul 11 08:13:19 localhost etcd: added member bab1199d24d460ee [http://192.168.3.162:2380] to cluster 31b7399b4ff27c46
Jul 11 08:13:19 localhost etcd: set the initial cluster version to 3.3
Jul 11 08:13:19 localhost etcd: enabled capabilities for version 3.3
Jul 11 08:13:19 localhost etcd: started streaming with peer 341f2c77ffb24eef (writer)
Jul 11 08:13:19 localhost etcd: started streaming with peer 341f2c77ffb24eef (writer)
Jul 11 08:13:19 localhost etcd: started streaming with peer 341f2c77ffb24eef (stream MsgApp v2 reader)
Jul 11 08:13:19 localhost etcd: started streaming with peer 341f2c77ffb24eef (stream Message reader)
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54706" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54708" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39694" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39692" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54716" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54714" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39700" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39702" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54720" (error "tls: oversized record received with length 21536", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54728" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54726" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39710" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39708" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54736" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54734" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39716" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39718" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54744" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.168:54742" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39726" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:19 localhost etcd: rejected connection from "192.168.3.169:39724" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54752" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54750" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39734" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39732" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54760" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54758" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39742" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39740" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54768" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54766" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39750" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39748" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54776" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54774" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39758" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39756" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54784" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54782" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39766" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39764" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54790" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54792" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39772" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39774" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54800" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54798" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39780" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39782" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54808" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54806" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39790" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39788" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54816" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54814" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: bab1199d24d460ee is starting a new election at term 2698
Jul 11 08:13:20 localhost etcd: bab1199d24d460ee became candidate at term 2699
Jul 11 08:13:20 localhost etcd: bab1199d24d460ee received MsgVoteResp from bab1199d24d460ee at term 2699
Jul 11 08:13:20 localhost etcd: bab1199d24d460ee [logterm: 2334, index: 20240] sent MsgVote request to 341f2c77ffb24eef at term 2699
Jul 11 08:13:20 localhost etcd: bab1199d24d460ee [logterm: 2334, index: 20240] sent MsgVote request to e3b08f0ab9f3fe8 at term 2699
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39798" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.169:39796" (error "tls: first record does not look like a TLS handshake", ServerName "")
Jul 11 08:13:20 localhost etcd: rejected connection from "192.168.3.168:54822" (error "tls: first record does not look like a TLS handshake", ServerName "")

I see the added member e3b08f0ab9f3fe8 [http://192.168.3.169:2380] to cluster 31b7399b4ff27c46

But My service file used https

My guess is that the cluster was initially set up wrong. What is the output of below?

ETCDCTL_API=3 etcdctl member list \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/ssl/ca.pem \
--cert=/etc/kubernetes/ssl/kubernetes.pem \
--key=/etc/kubernetes/ssl/kubernetes-key.pem

You could try reconfiguring the members to https or start fresh.

https://github.com/coreos/etcd/blob/master/Documentation/op-guide/runtime-configuration.md#cluster-reconfiguration-operations

Possibly related to https://github.com/coreos/etcd/issues/9905 ?

Hi @dangxiaojun checking in what did you find?

@dangxiaojun If this is still an issue please feel free to add additional comments.

No progress, the same configuration, after a few restarts, he can now work normally, using HTTPS, I will continue to observe, thank you for your assistance.

Got similar log when enabling https, after servel restarts the problem still exists.

I refer to this page -> https://github.com/coreos/etcd/blob/master/Documentation/op-guide/runtime-configuration.md#cluster-reconfiguration-operations , update each member's peerURLs from http to https, then restart the cluster again, it works.

I've run into the same issue however, the cluster seems to operate just fine - keys are replicated across the cluster.
>etcdctl member list
82aeb37e361d09ed, started, etcd1, https://172.16.253.51:2380, https://172.16.253.51:2379 9d3b38013d4186e6, started, etcd2, https://172.16.253.47:2380, https://172.16.253.47:2379 a2430f07d691d22e, started, etcd3, https://172.16.253.52:2380, https://172.16.253.52:2379

However, issuing
>etcdctl endpoint health --endpoints=172.16.253.51:2380,172.16.253.47:2380,172.16.253.52:2380
results in:
172.16.253.52:2380 is unhealthy: failed to commit proposal: context deadline exceeded 172.16.253.47:2380 is unhealthy: failed to commit proposal: context deadline exceeded 172.16.253.51:2380 is unhealthy: failed to commit proposal: context deadline exceeded Error: unhealthy cluster

and upon execution logs are flooded with
etcdmain: rejected connection from "172.16.253.52:35222" (error "EOF", ServerName "")

v3.2.18 - found only due to prep work for migrating to v3.3.10

However, issuing
etcdctl endpoint health --endpoints=172.16.253.51:2380,172.16.253.47:2380,172.16.253.52:2380
results in:
172.16.253.52:2380 is unhealthy: failed to commit proposal: context deadline exceeded 172.16.253.47:2380 is unhealthy: failed to commit proposal: context deadline exceeded 172.16.253.51:2380 is unhealthy: failed to commit proposal: context deadline exceeded Error: unhealthy cluster

@piotrgo does changing endpoint port to 2379 resolve the issue?

Looks like I ran into the same issue when using https instead http when enabling mTLS between etcd server and kube-apiserver in GCE: https://github.com/kubernetes/kubernetes/pull/74690#issuecomment-469083400. My guess is something in still trying to connecting to etcd server using http instead of https, not sure what though. I will keep looking and update if I find the cause.

I ran to the same issue, I have 3 api pods (3 masters) running on centos behing HAProxy, and I am getting :
I0328 13:12:08.436614 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48960: tls: first record does not look like a TLS handshake
I0328 13:12:08.452375 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48966: tls: first record does not look like a TLS handshake
I0328 13:12:08.510890 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48972: tls: first record does not look like a TLS handshake
I0328 13:12:08.511221 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48978: tls: first record does not look like a TLS handshake
I0328 13:12:08.520668 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48984: tls: first record does not look like a TLS handshake
I0328 13:12:08.522030 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48990: tls: first record does not look like a TLS handshake
I0328 13:12:08.529566 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:48996: tls: first record does not look like a TLS handshake
I0328 13:12:08.545460 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49002: tls: first record does not look like a TLS handshake
I0328 13:12:08.550692 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49008: tls: first record does not look like a TLS handshake
I0328 13:12:08.568719 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49014: tls: first record does not look like a TLS handshake
I0328 13:12:08.578375 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49020: tls: first record does not look like a TLS handshake
I0328 13:12:08.590732 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49026: tls: first record does not look like a TLS handshake
I0328 13:12:08.766061 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49032: tls: first record does not look like a TLS handshake
I0328 13:12:09.232213 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49094: tls: first record does not look like a TLS handshake
I0328 13:12:09.244985 1 log.go:172] http: TLS handshake error from HAProxy-PhyiscalIP:49100: tls: first record does not look like a TLS handshake

This means the caller is using HTTP vs HTTPS. If the cluster is using TLS
then HAProxy needs to pass proper TLS credentials to etcd client port.

--
—

I can not see any link showing how the HAProxy can pass the proper TLS credentials, any guidance please?

@wenjiaswe Did you ever find out what component was trying to connect without TLS? We're running etcd 3.3.11 on-prem (without k8s), with manually generated certs. The etcd cluster seems to be behaving correctly, we can interact with the cluster using etcdctl and it is passing performance tests. However, we are still seeing the "tls: first record does not look like a TLS handshake" error in the logs every 10 seconds (I believe the 10 seconds is due to the transports TLS handshake timeout).

All our peer URL's are https; new members join with https; there is not a single http address in the logs and we are not seeing any certificate errors. The errors only appear after "ready to serve client requests" appears in the logs: as the client/peer listeners only serve requests after this point. I believe the error is caused by a gRPC call to one of these listener endpoints without using TLS, but I am not sure what is making this call.

Do you have any idea what the root cause could be, and if it's critical? Thanks!

Jul 05 10:19:19 localhost.localdomain etcd[9275]: etcd Version: 3.3.11
Jul 05 10:19:19 localhost.localdomain etcd[9275]: Git SHA: 2cf9e51
Jul 05 10:19:19 localhost.localdomain etcd[9275]: Go Version: go1.10.3
Jul 05 10:19:19 localhost.localdomain etcd[9275]: Go OS/Arch: linux/amd64
Jul 05 10:19:19 localhost.localdomain etcd[9275]: setting maximum number of CPUs to 4, total number of available CPUs is 4
Jul 05 10:19:19 localhost.localdomain etcd[9275]: the server is already initialized as member before, starting as etcd member...
Jul 05 10:19:19 localhost.localdomain etcd[9275]: cannot listen on TLS for 192.168.79.132:2380: KeyFile and CertFile are not presented
Jul 05 10:19:19 localhost.localdomain systemd[1]: etcd.service: main process exited, code=exited, status=1/FAILURE
Jul 05 10:19:19 localhost.localdomain systemd[1]: Failed to start Etcd Server.

etcd.conf

[member]

ETCD_NAME=etcd0
ETCD_DATA_DIR="/var/lib/etcd/etcd0.etcd"
ETCD_WAL_DIR="/var/lib/etcd/wal"
ETCD_SNAPSHOT_COUNT="100"
ETCD_HEARTBEAT_INTERVAL="100"
ETCD_ELECTION_TIMEOUT="1000"
ETCD_LISTEN_PEER_URLS="https://192.168.79.132:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.79.132:2379,https://127.0.0.1:2379"
ETCD_MAX_SNAPSHOTS="5"
ETCD_MAX_WALS="5"

ETCD_CORS=""

what's wrong?

@tompntn sorry for the late response, in my case https://github.com/kubernetes/perf-tests/pull/458 this was the issue, metrics point is trying to access http://127.0.0.1:2379 and can't access. So I use etcd --listen-metrics-urls to redirect metrics to a different port 2382 so who ever is trying to get etcd metrics could use that. Note that both /metrics and /health are sharing the same metrics port if you set --listen-metrics-urls. You may want to check that.

@fcddk your case doesn't look the same the this post. The log says "Jul 05 10:19:19 localhost.localdomain etcd[9275]: cannot listen on TLS for 192.168.79.132:2380: KeyFile and CertFile are not presented" , you might want to follow https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md and make sure you set up TLS correctly.