Client cert authentication failure

[svopentext]

When I am trying to user etcd3 for terraform backend and install client cert, I am getting following error. embed: rejected connection from "10.100.100.10:61282" (error "tls: first record does not look like a TLS handshake", ServerName "")

Here are my etcd details. etcd Version: 3.4.1 Go Version: go1.12.9 Go OS/Arch: linux/amd64 Using docker Docker version 18.03.0-ce, build 0520e24

when I curl, curl --cacert ca.crt --cert client.pem --key client-key.pem https://10.100.10.11:2379 -v

• Rebuilt URL to: https://10.100.10.11:2379/
• Trying 10.100.10.11...
• TCP_NODELAY set
• Connected to 10.100.10.11 (10.100.10.11) port 2379 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: ca.crt CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Request CERT (13):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS handshake, CERT verify (15):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: C=US; ST=Georgia; L=Atlanta; O=etcd; OU=at56-c1; CN=etcd
• start date: Nov 1 15:37:00 2019 GMT
• expire date: Oct 30 15:37:00 2024 GMT
• subjectAltName: host "10.100.10.11" matched cert's IP address!
• issuer: C=US; ST=Georgia; L=Atlanta; O=XXX; OU=IT; CN=*.xxx.com
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x7fffedf3a580)

  GET / HTTP/2 Host: 10.100.10.11:2379 User-Agent: curl/7.58.0 Accept: /

• Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 404 < access-control-allow-headers: accept, content-type, authorization < access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE < access-control-allow-origin: * < content-type: text/plain; charset=utf-8 < x-content-type-options: nosniff < content-length: 19 < date: Mon, 11 Nov 2019 15:20:05 GMT < 404 page not found

• Connection #0 to host 10.155.10.81 left intact

  terraform file terraform { backend "etcdv3" { endpoints = ["https://10.100.10.11:2379", "https://10.100.10.12:2379", "https://10.100.10.13:2379"] lock = true cacert_path = "ca.crt" cert_path = "client.pem" key_path = "client-key.pem" prefix = "terraform-state/" }

  etcdctl --endpoints https://10.100.10.11:2379,https://10.100.10.12:2379,https://10.100.10.13:2379, --key client-key.pem --cacert ca.crt --cert client.pem put foo bar OK

  etcdctl --endpoints=https://10.100.10.11:2379:2379 --cacert=/opt/certs/ca.crt --cert=/opt/liaison/certs/server.crt --key=/opt/liaison/certs/server.key member list 57b20b97767c850c, started, xxx.dev, https://10.100.10.11:2380, https://10.100.10.11:2379, false b325882bdfc47769, started, xxx.dev, https://10.100.10.12:2380, https://10.100.10.12:2379, false b37664e555864dc6, started, xxx.dev, https://10.100.10.13:2380, https://10.100.10.13:2379, false Please let me know if you need more details

[svopentext]

resolved this issue ..Terrafrom needs all .pem certs terraform { backend "etcdv3" { endpoints = ["10.100.10.00:2379", "110.100.11:2379", "10.100.12:2379"] lock = true prefix = "at4d-terraform-state/" cacert_path = "certs/ca.pem" cert_path = "certs/client.pem" key_path = "certs/client-key.pem" } }