no cipher suite supported by both client and server | AWS EKS

[itsmesuniljacob]

Expected behavior:

Teleport welcome page

Current behavior:

Pods are getting errors as below

ERROR REPORT:
Original Error: *errors.errorString tls: no cipher suite supported by both client and server
Stack Trace:
    github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:388 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).handleConn
    github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:326 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).Serve.func1
    runtime/asm_amd64.s:1594 runtime.goexit
User Message: tls: no cipher suite supported by both client and server] alpnproxy/proxy.go:334
2023-02-06T15:03:48Z WARN [ALPN:PROX] Failed to handle client connection. error:[
ERROR REPORT:
Original Error: *errors.errorString tls: no cipher suite supported by both client and server
Stack Trace:
    github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:388 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).handleConn
    github.com/gravitational/teleport/lib/srv/alpnproxy/proxy.go:326 github.com/gravitational/teleport/lib/srv/alpnproxy.(*Proxy).Serve.func1
    runtime/asm_amd64.s:1594 runtime.goexit

Bug details:

• Teleport version: 11.1.4
• Recreation steps: Install teleport on EKS through helm. Used NLB, instead of classic, by adding the following annotations.

  service: 
    external-dns.alpha.kubernetes.io/hostname: teleport.utility-v7.engops.public.aws.cradlepointecm.com
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:010290182366:certificate/294df219-eb63-4eba-bef0-84437fad478e
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"

• Debug logs

[itsmesuniljacob]

@programmerq I guess you had the issue no cipher suite supported by both client and server. I followed your configuration, but there is something amiss. It would be great, if you could assist

[webvictim]

Generally this happens when your load balancer is speaking the wrong protocol to the backend. What else do you have set in your Helm values?

[itsmesuniljacob]

@webvictim , I have changed to NLB and it's working now perfectly. Thanks for the reply