Environment
- YugabyteDB Anywhere - All YBA versions
Issue
Yugabyte Universe creation with TLS configuration enabled fails with the following error in the task page as well in the application.log file inside the yugaware container.
FATAL: Network error: Handshake failed: Network error (yb/rpc/secure_stream.cc:1023): Endpoint does not match, address: <IP-Address>, hostname: <IP-Address>
To collect YugabyteDB Anywhere (YBA) logs, please follow these steps. Run the following command from the YBA node:
sudo docker logs yugaware > /tmp/yugaware.log
Cause
The error means that TLS certificates are being used i.e. Encryption in Transit is enabled for the universe as given in doc or below screenshot. However TLS is enabled with custom certificates and the server certificate doesn't have its IP in the Common Name or Subject Alternate Name fields.
NOTE: This issue does not affect auto-generated Yugabyte Self signed certificates.
Resolution
Use one of the steps as needed.
Steps
1a. If you don't want to use custom certificates, follow the Self Signed Certificates generated by Yugabyte Platform instructions to enable TLS in universe.
1b. If you want to use custom certificates and the certificates have the node hostname in the Common Name or Subject Alternate Name fields, reconfigure the system to use node hostnames (FQDNs) instead of IP addresses.
Go to the YB Universe > Edit G-Flags > Add Tserver G-Flag use_node_hostname_for_local_tserver = true
. Rolling restart the universe.
This G-Flag allows the cluster to use FQDN which resolves the issue.
1c. If you want to use custom certificates with IP addresses in the Common Name field (or if the Common Name fields in the certificates are incorrect), contact your certificate authority to request updated certificates, then follow the Custom CA-signed self-provided certificates instructions to install the updated certificates.
Comments
0 comments
Please sign in to leave a comment.