docker-vernemq icon indicating copy to clipboard operation
docker-vernemq copied to clipboard

Published 20 hours ago verified publisher icon vernemq

TLS termination on AWS LB prevents successful connection

Open edmeister opened this issue 4 years ago • 3 comments

Hi,

We deployed the latest version of the Helm chart (1.6.5) onto our Kubernetes clusters running on AWS (1.18) and chose to add a public load balancer in front of the VerneMQ pods. According to the documentation, we added our TLS certificates on the load balancer. However, we don't succeed in connecting to the VerneMQ brokers.

When we remove the TLS from the NLB or ELB, everything works as expected. With a port-forward directly to the pod or the service, everything runs perfectly too.

We tried with both the Elastic/Classic and the Network load balancer, btw. Results were the same.

Does anybody have any idea what we might be doing wrong? Is there a reference configuration for a setup on AWS?

A snippet from our helm values, all very straight-forward:

service:
  type: LoadBalancer
  annotations:
    external-dns.alpha.kubernetes.io/hostname: ${hostName}
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${certificateArn}

edmeister avatar Sep 22 '20 20:09 edmeister

Can you provide the whole configuration?

nestoras avatar Nov 02 '20 22:11 nestoras

This is what works for us on our K8s Cluster with TLS terminating at the NLB:

service:
  - type: LoadBalancer
    mqtt:
      enabled: true
      port: 1883
      nodePort: 1883
    mqtts:
      enabled: false
      port: 8883
      nodePort: 8883
    ws:
      enabled: true
      port: 443
      nodePort: 8080
    wss:
      enabled: false
      port: 8443
      nodePort: 8443
    annotations: {
      service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip,
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http,
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: TCP,
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port,
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${certificateArn},
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443,1883",
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
      }
    labels: {}

TheBaus avatar Feb 18 '21 09:02 TheBaus

Hi, @edmeister. Did you get this work? We are having a similar problem. Please let us know how did you solve this?

sivas053 avatar Apr 06 '21 12:04 sivas053