OpenSSL wrong version number in ruby rspec unit tests connecting to docker hashicorp vault

  docker, hashicorp-vault, openssl, ruby, ssl

I’m receiving the following SSL error on my rake rspec unit tests when I try to connect to the vault on my docker container using HTTPS:

 OpenSSL::SSL::SSLError:
       SSL_connect returned=1 errno=0 state=error: wrong version number

We’re using docker to load a local instance of a hashicorp vault

Here’s the command I run to generate the TLS Certificates

RUN openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -subj "$SUBJ" -out /vault/certificates/tls/vault.crt 
    -keyout /vault/certificates/tls/vault.key

When I log into the docker container and run openssl version I get:

/ # openssl version
OpenSSL 1.1.1k  25 Mar 2021

When I try to connect to the docker container from my local prompt, I get:

$ openssl s_client -connect 'localhost:8200'
CONNECTED(000001F0)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1620224762
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
26612:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827:

When I run this command in my local irb I get:

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
=> {:min_version=>769, :verify_mode=>1, :verify_hostname=>true, :options=>2147614804}
irb(main):003:0>                    

This is my vault configurations:

listener "tcp" {
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_cert_file = "/vault/certificates/tls/vault.crt"
  tls_key_file  = "/vault/certificates/tls/vault.key"
}

Also, i noticed in the docker logs we have two listeners now:

Listener 1: tcp (addr: "0.0.0.0:1234", cluster address: "0.0.0.0:1235", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Listener 2: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")

And my docker vault server startup command is:

vault server -config=/vault/config -dev-root-token-id=myroot -dev-listen-address=0.0.0.0:1234 -dev &

And i noticed in the logs its still seeing an http connection…

Error writing data to pki/root/generate/internal: Put https://127.0.0.1:1234/v1/pki/root/generate/internal: http: server gave HTTP response to HTTPS client
Error writing data to pki/config/urls: Put https://127.0.0.1:1234/v1/pki/config/urls: http: server gave HTTP response to HTTPS client
Error writing data to pki/roles/localhost: Put https://127.0.0.1:1234/v1/pki/roles/localhost: http: server gave HTTP response to HTTPS client
Error writing data to pki/issue/localhost: Put https://127.0.0.1:1234/v1/pki/issue/localhost: http: server gave HTTP response to HTTPS client

I’m kind of lost right now on how to handle this.

Source: Docker Questions

LEAVE A COMMENT