Re: Anthos on bare-metal upgrade fails - TLS issue...

mi-sie · 03-06-2024 09:06 AM

Hello,

trying to upgrade my on-prem bare metal cluster from 1.15.4 to 1.16.6. Cluster type is hybrid, default profile, bundled load balancer. Downloaded bmctl tool, updated anthosBareMetalVersion value in configuration file and bmctl upgrade cluster ends up as follows:

[2024-03-06 17:41:12+0100] error validating cluster config: 1 error occurred:
        * GCR pull permission for bucket: artifacts.anthos-baremetal-release.appspot.com failed: retry failed with context deadline exceeded; last error: Get "https://storage.googleapis.com/storage/v1/b/artifacts.anthos-baremetal-release.appspot.com/iam/testPermissions?alt=json&permissions=storage.objects.get&permissions=storage.objects.list&prettyPrint=false": read tcp [ip_removed]:45456->[ip_removed]:443: read: connection reset by peer

I pasted that link to browser - worked fine. I tried with curl and it fails. I checked with openssl s_client -connect and it failed again. Then I forced curl and s_client to use tls version 1.2 and it worked fine, while still failing with 1.3 enforced.

Any way to explicitly force bmctl tool to use 1.2? May this be a server side issue? Or maybe it's something else?

Bests

Willbin

Hello @mi-sie,

Welcome to Google Cloud Community!

Unfortunately, there might not be a built-in option within bmctl to explicitly force TLS 1.2. While forcing TLS 1.2 might work as a temporary workaround, it's generally not recommended due to security concerns. TLS 1.2 is considered less secure than later versions like 1.3.

Consider upgrading bmctl to the latest version. Newer versions might have improved TLS handling or support for more recent TLS protocols.

Anthos on bare-metal upgrade fails - TLS issue?