https://github.com/osquery/osquery logo
#fleet
Title
n

nick fury

06/21/2022, 1:44 PM
when im trying load my fleet webserver at k8s I am getting the error message "Error: tls: no cipher suite supported by both client and server". does anyone know the solution for this problem? thanks.
👀 2
l

Luke Heath

06/21/2022, 4:50 PM
Hi Nick, happy to help you troubleshoot. Can you let me know what your infrastructure looks like? Are you deploys k8s on AWS EC2? Are you using a load balancer like ALB?
n

nick fury

06/21/2022, 8:42 PM
@Luke Heath load balancer
z

zwass

06/21/2022, 9:24 PM
Where is that being logged?
n

nick fury

06/22/2022, 6:56 AM
at the pod of the fleet web server
the load balancer is f5
l

Luke Heath

06/22/2022, 4:16 PM
It sounds like the F5 configuration is not setup with a modern set of ciphers or doesn't have TLS 1.2 turned on. Try referencing https://support.f5.com/csp/article/K01770517 and make sure you are using a TLS 1.2 cipher.
If that's not the issue, other thoughts would be TLS to redis or MySQL from fleet could have a cipher issue depending upon the specific log entries. In that case, you'd want to check the logs there.
@Luke Heath if it helps when i used the ALB at fleet 3.5.1 (not k8s) it worked well and when i tried to update to k8s to fleet 4.9.1 that error happens to the ALB
z

zwass

06/23/2022, 3:37 PM
Seems like it might be because the Go version was bumped between those releases and that removed some really old ciphers from the Go server support.
Maybe it's easiest to turn off TLS termination on Fleet and just let your LB terminate without reencryption?
n

nick fury

06/26/2022, 8:01 AM
@zwass am I turning off tls termination with the flag:
Copy code
server:
    tls: false
or should i do something else?
z

zwass

06/27/2022, 6:52 PM
That looks right
n

nick fury

07/10/2022, 10:32 AM
👀 1
k

Kathy Satterlee

07/16/2022, 6:16 PM
It looks like that bump happened in 3.13.0
ty 1
3 Views