https://github.com/osquery/osquery logo
Join Slack
Powered by
when im trying load my fleet webserver at k8s I am...
# fleet
n
when im trying load my fleet webserver at k8s I am getting the error message "Error: tls: no cipher suite supported by both client and server". does anyone know the solution for this problem? thanks.
👀 2
l
Hi Nick, happy to help you troubleshoot. Can you let me know what your infrastructure looks like? Are you deploys k8s on AWS EC2? Are you using a load balancer like ALB?
n
@Luke Heath load balancer
z
Where is that being logged?
n
at the pod of the fleet web server
the load balancer is f5
l
It sounds like the F5 configuration is not setup with a modern set of ciphers or doesn't have TLS 1.2 turned on. Try referencing https://support.f5.com/csp/article/K01770517 and make sure you are using a TLS 1.2 cipher.
If that's not the issue, other thoughts would be TLS to redis or MySQL from fleet could have a cipher issue depending upon the specific log entries. In that case, you'd want to check the logs there.
n
@Luke Heath if it helps when i used the ALB at fleet 3.5.1 (not k8s) it worked well and when i tried to update to k8s to fleet 4.9.1 that error happens to the ALB
z
Seems like it might be because the Go version was bumped between those releases and that removed some really old ciphers from the Go server support.
Maybe it's easiest to turn off TLS termination on Fleet and just let your LB terminate without reencryption?
n
@zwass am I turning off tls termination with the flag:
Copy code
server:
    tls: false
or should i do something else?
z
That looks right
n
👀 1
k
It looks like that bump happened in 3.13.0
ty 1
5 Views
Open in Slack
PreviousNext
Powered by