Unable to start ETCD and failing with error 'tls: failed to find any PEM data in key input' #16024

IamSatyaonline · 2023-06-06T10:18:49Z

IamSatyaonline
Jun 6, 2023

Bug report criteria

This bug report is not security related, security issues should be disclosed privately via [email protected].
This is not a support request, support requests should be raised in the etcd discussion forums.
You have read the etcd bug reporting guidelines.
Existing open issues along with etcd frequently asked questions have been checked and this is not a duplicate.

What happened?

We have 3 members cluster of ETCD service. ETCD service is not running and throwing the error 'tls: failed to find any PEM data in key input'.
As per our prilimarliy investigation , Key files which is being used for peer communication which might be corrupted. But we are not sure about the root cause.
We are using the ETCD-3.5.7 and self sign certificates are being used for peer communication. Could you please help us to know the exact root cause of the issue.
Sharing below the log snippet with the error coming in the logs.

2023-06-02T14:58:00.721849815Z {"caller":"embed/etcd.go:484","cipher-suites":[],"message":"starting with peer TLS","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:58:00.721+00:00","tls-info":"cert = /data/fixtures/peer/cert.pem, key = /data/fixtures/peer/key.pem, client-cert=/data/fixtures/peer/cert.pem, client-key=/data/fixtures/peer/key.pem, trusted-ca = , client-cert-auth = false, crl-file = ","version":"1.2.0"}
2023-06-02T14:58:00.721912667Z {"advertise-client-urls":["https://etcd-0.etcd.spider3:2379"],"advertise-peer-urls":["https://etcd-0.etcd-peer.spider3.svc.cluster.local:2380"],"caller":"embed/etcd.go:373","data-dir":"/data","message":"closing etcd server","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"name":"etcd-0","service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:58:00.721+00:00","version":"1.2.0"}
2023-06-02T14:58:00.721960692Z {"advertise-client-urls":["https://etcd-0.etcd.spider3:2379"],"advertise-peer-urls":["https://etcd-0.etcd-peer.spider3.svc.cluster.local:2380"],"caller":"embed/etcd.go:375","data-dir":"/data","message":"closed etcd server","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"name":"etcd-0","service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:58:00.721+00:00","version":"1.2.0"}

2023-06-02T14:58:00.722031174Z {"caller":"etcdmain/etcd.go:204","error":"tls: failed to find any PEM data in key input","message":"discovery failed","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"critical","stacktrace":"go.etcd.io/etcd/server/v3/etcdmain.startEtcdOrProxyV2\n\tgo.etcd.io/etcd/server/v3/etcdmain/etcd.go:204\ngo.etcd.io/etcd/server/v3/etcdmain.Main\n\tgo.etcd.io/etcd/server/v3/etcdmain/main.go:40\nmain.main\n\tgo.etcd.io/etcd/server/v3/main.go:32\nruntime.main\n\truntime/proc.go:255","timestamp":"2023-06-02T14:58:00.721+00:00","version":"1.2.0"}

What did you expect to happen?

We want ETCD up and running without any error.

How can we reproduce it (as minimally and precisely as possible)?

It's kind of intermittent and not reproducible. always

Anything else we need to know?

No response

Etcd version (please run commands below)

$ etcd --version
bash-4.4$ etcd --version
etcd Version: 3.5.7
Git SHA: 215b53cf3
Go Version: go1.17.13
Go OS/Arch: linux/amd64


$ etcdctl version
bash-4.4$ etcd --version
etcd Version: 3.5.7
Git SHA: 215b53cf3
Go Version: go1.17.13
Go OS/Arch: linux/amd64
bash-4.4$ etcdctl version
etcdctl version: 3.5.7
API version: 3.5

Etcd configuration (command line flags or environment variables)

paste your configuration here

bash-4.4$ env

ETCD_INITIAL_CLUSTER_TOKEN=etcd
TLS_ENABLED=true
ETCD_MAX_SNAPSHOTS=3
CLIENT_PORTS=2379
TZ=UTC
HOSTNAME=etcd-0
COMPONENT_VERSION=v3.5.7
HTTP_PROBE_CMD_DIR=/usr/local/bin/health
HTTP_PROBE_READINESS_CMD_TIMEOUT_SEC=15
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_HEARTBEAT_INTERVAL=100
ETCD_AUTO_COMPACTION_RETENTION=100
DISARM_ALARM_PEER_INTERVAL=6
ETCD_TRUSTED_CA_FILE=/data/combinedca/cacertbundle.pem
DB_THRESHOLD_PERCENTAGE=70
MONITOR_ALARM_INTERVAL=5
PEER_CERT_AUTH_ENABLED=true
TRUSTED_CA=/data/combinedca/cacertbundle.pem
PEER_CLIENTS_CERTS=/run/sec/certs/peer/srvcert.pem
FIFO_DIR=/fifo
KUBERNETES_PORT_443_TCP_PROTO=tcp
ENTRYPOINT_RESTART_ETCD=true
HTTP_PROBE_NAMESPACE=ztissan
KUBERNETES_PORT_443_TCP_ADDR=
ETCDCTL_CERT=/run/sec/certs/client/clicert.pem
ENTRYPOINT_DCED_PROCESS_INTERVAL=5
ETCD_LOG_LEVEL=debug
ENTRYPOINT_CHECKSNUMBER=60
8889
KUBERNETES_PORT=tcp://:443
POD_NAME=etcd-0
ERIC_PM_SERVER_PORT_9089_TCP_PORT=9089
ERIC_ETCD_SERVICE_PORT=2379
PWD=/
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
HOME=/home/dced
ERIC_ETCD_SERVICE_PORT_CLIENT_PORT_TLS=2379
ETCD_AUTO_COMPACTION_MODE=revision
KUBERNETES_SERVICE_PORT_HTTPS=443
ERIC_ETCD_PORT_2379_TCP_ADDR=
KUBERNETES_PORT_443_TCP_PORT=443
ETCD_LOGGER=zap
PEER_AUTO_TLS_ENABLED=true
ETCD_CERT_FILE=/run/sec/certs/server/srvcert.pem
ETCD_PEER_AUTO_TLS=true
ERIC_ETCD_PORT_2379_TCP_PORT=2379
KUBERNETES_PORT_443_TCP=tcp://:443
ERIC_ETCD_PORT_2379_TCP=tcp://:2379
LISTEN_PEER_URLS=https://0.0.0.0:2380
DEFRAGMENT_PERIODIC_INTERVAL=60
CONTAINER_NAME=etcd
COMPONENT=etcd
ETCD_DATA_DIR=/data
ETCD_CLIENT_CERT_AUTH=true
TERM=xterm
ETCDCTL_ENDPOINTS=etcd.ztissan:2379
HTTP_PROBE_LIVENESS_CMD_TIMEOUT_SEC=15
ETCD_METRICS=basic
PEER_CLIENT_KEY_FILE=/run/sec/certs/peer/srvprivkey.pem
HTTP_PROBE_CONTAINER_NAME=etcd
GODEBUG=tls13=1
ETCDCTL_API=3
ERIC_ETCD_PORT=tcp://:2379
ETCD_SNAPSHOT_COUNT=5000
ETCD_MAX_WALS=3
SHLVL=1
HTTP_PROBE_POD_NAME=etcd-0
KUBERNETES_SERVICE_PORT=443
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://etcd-0.etcd-peer.ztissan.svc.cluster.local:2380
HTTP_PROBE_STARTUP_CMD_TIMEOUT_SEC=15
ETCD_KEY_FILE=/run/sec/certs/server/srvprivkey.pem
ETCD_ELECTION_TIMEOUT=1000
HTTP_PROBE_SERVICE_NAME=etcd
ETCDCTL_CACERT=/data/combinedca/cacertbundle.pem
ETCD_NAME=etcd-0
ETCD_QUOTA_BACKEND_BYTES=268435456
ENTRYPOINT_PIPE_TIMEOUT=5
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ETCD_ADVERTISE_CLIENT_URLS=https://etcd-0.etcd.ztissan:2379
DCED_PORT=2379
KUBERNETES_SERVICE_HOST=
FLAVOUR=etcd-v3.5.7-linux-amd64
ETCDCTL_KEY=/run/sec/certs/client/cliprivkey.pem
_=/usr/bin/env

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

2023-06-02T14:57:40.311883089Z {"message":"The current timezone is UTC","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.311+00:00","version":"1.2.0"}
2023-06-02T14:57:40.319907939Z {"message":"Startup command: /usr/local/bin/health/StartupProbe.sh","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.319+00:00","version":"1.2.0"}
2023-06-02T14:57:40.319935154Z {"message":"Startup commmand timeout value 15 seconds","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.319+00:00","version":"1.2.0"}
2023-06-02T14:57:40.320022235Z {"message":"Readiness command: /usr/local/bin/health/ReadinessProbe.sh","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.319+00:00","version":"1.2.0"}
2023-06-02T14:57:40.320095449Z {"message":"Readiness commmand timeout value 15 seconds","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.320+00:00","version":"1.2.0"}
2023-06-02T14:57:40.320247443Z {"message":"Liveness command: /usr/local/bin/health/LivenessProbe.sh","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.320+00:00","version":"1.2.0"}
2023-06-02T14:57:40.320326277Z {"message":"Liveness commmand timeout value 15 seconds","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.320+00:00","version":"1.2.0"}
2023-06-02T14:57:40.320415316Z {"message":"The http probe service 1.5.0 is ready to listen and serve on :9000","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.320+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346234288Z {"message":"+ getopts cs option","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346314039Z {"message":"+ case \"${option}\" in","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346522082Z {"message":"+ CHECK=true","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346568194Z {"message":"+ getopts cs option","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346611005Z {"message":"+ case \"${option}\" in","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346647224Z {"message":"+ SUICIDE=true","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346688012Z {"message":"+ getopts cs option","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.346723100Z {"message":"+ mkdir -p /data/combinedca/","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.346+00:00","version":"1.2.0"}
2023-06-02T14:57:40.425138435Z {"message":"+ [[ -v SUICIDE ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.424+00:00","version":"1.2.0"}
2023-06-02T14:57:40.425604259Z {"message":"++ ps -ef","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.425+00:00","version":"1.2.0"}
2023-06-02T14:57:40.425653943Z {"message":"++ grep watch_cert","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.425+00:00","version":"1.2.0"}
2023-06-02T14:57:40.425805950Z {"message":"++ grep -v grep","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.425+00:00","version":"1.2.0"}
2023-06-02T14:57:40.429301486Z {"message":"+ [[ -z '' ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.429+00:00","version":"1.2.0"}
2023-06-02T14:57:40.429517679Z {"message":"+ rm -f /data/combinedca/cacertbundle.pem","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.429+00:00","version":"1.2.0"}
2023-06-02T14:57:40.429618524Z {"message":"+ nohup /usr/local/bin/scripts/watch_cert.sh /run/sec/cas/clientca /run/sec/cas/pmca /run/sec/cas/siptlsca","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.429+00:00","version":"1.2.0"}
2023-06-02T14:57:40.430713026Z {"message":"+ [[ ! -s /data/combinedca/cacertbundle.pem ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.430+00:00","version":"1.2.0"}
2023-06-02T14:57:40.430801734Z {"message":"+ awk 1 /run/sec/cas/clientca/client-cacertbundle.pem /run/sec/cas/siptlsca/cacertbundle.pem","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.430+00:00","version":"1.2.0"}
2023-06-02T14:57:40.432971688Z {"message":"+ [[ ! -s /data/combinedca/cacertbundle.pem ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.432+00:00","version":"1.2.0"}
2023-06-02T14:57:40.433048788Z {"message":"+ [[ ! -s /data/combinedca/cacertbundle.pem ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.432+00:00","version":"1.2.0"}
2023-06-02T14:57:40.433118466Z {"message":"+ [[ -v CHECK ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.433+00:00","version":"1.2.0"}
2023-06-02T14:57:40.433222071Z {"message":"+ [[ ! -f /data/combinedca/cacertbundle.pem ]]","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.433+00:00","version":"1.2.0"}
2023-06-02T14:57:40.433295675Z {"message":"Setup peer certs for etcd-0 ","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.433+00:00","version":"1.2.0"}
2023-06-02T14:57:40.433391709Z {"message":"Auto TLS enable , using ETCD auto generated certs for peer communication","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.433+00:00","version":"1.2.0"}
2023-06-02T14:57:40.532124693Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.531+00:00","variable-name":"ETCD_ADVERTISE_CLIENT_URLS","variable-value":"https://etcd-0.etcd.spider3:2379","version":"1.2.0"}
2023-06-02T14:57:40.532173064Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_AUTO_COMPACTION_MODE","variable-value":"revision","version":"1.2.0"}
2023-06-02T14:57:40.532230541Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_AUTO_COMPACTION_RETENTION","variable-value":"100","version":"1.2.0"}
2023-06-02T14:57:40.532290393Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_CERT_FILE","variable-value":"/run/sec/certs/server/srvcert.pem","version":"1.2.0"}
2023-06-02T14:57:40.532348883Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_CLIENT_CERT_AUTH","variable-value":"true","version":"1.2.0"}
2023-06-02T14:57:40.532423774Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_DATA_DIR","variable-value":"/data","version":"1.2.0"}
2023-06-02T14:57:40.532461823Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_ELECTION_TIMEOUT","variable-value":"1000","version":"1.2.0"}
2023-06-02T14:57:40.532524552Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_HEARTBEAT_INTERVAL","variable-value":"100","version":"1.2.0"}
2023-06-02T14:57:40.532579293Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_INITIAL_ADVERTISE_PEER_URLS","variable-value":"https://etcd-0.etcd-peer.spider3.svc.cluster.local:2380","version":"1.2.0"}
2023-06-02T14:57:40.532623744Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_INITIAL_CLUSTER","variable-value":"etcd-0=https://etcd-0.etcd-peer.spider3.svc.cluster.local:2380","version":"1.2.0"}
2023-06-02T14:57:40.532681218Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_INITIAL_CLUSTER_STATE","variable-value":"new","version":"1.2.0"}
2023-06-02T14:57:40.532731491Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_INITIAL_CLUSTER_TOKEN","variable-value":"etcd","version":"1.2.0"}
2023-06-02T14:57:40.532780027Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_KEY_FILE","variable-value":"/run/sec/certs/server/srvprivkey.pem","version":"1.2.0"}
2023-06-02T14:57:40.532836995Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_LISTEN_CLIENT_URLS","variable-value":"https://0.0.0.0:2379","version":"1.2.0"}
2023-06-02T14:57:40.532902896Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_LISTEN_PEER_URLS","variable-value":"https://0.0.0.0:2380","version":"1.2.0"}
2023-06-02T14:57:40.532956146Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_LOG_LEVEL","variable-value":"info","version":"1.2.0"}
2023-06-02T14:57:40.533002550Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.532+00:00","variable-name":"ETCD_LOGGER","variable-value":"zap","version":"1.2.0"}
2023-06-02T14:57:40.533065561Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_MAX_SNAPSHOTS","variable-value":"3","version":"1.2.0"}
2023-06-02T14:57:40.533109094Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_MAX_WALS","variable-value":"3","version":"1.2.0"}
2023-06-02T14:57:40.533156961Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_METRICS","variable-value":"basic","version":"1.2.0"}
2023-06-02T14:57:40.533206629Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_NAME","variable-value":"etcd-0","version":"1.2.0"}
2023-06-02T14:57:40.533252146Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_PEER_AUTO_TLS","variable-value":"true","version":"1.2.0"}
2023-06-02T14:57:40.533316465Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_QUOTA_BACKEND_BYTES","variable-value":"268435456","version":"1.2.0"}
2023-06-02T14:57:40.533377769Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_SNAPSHOT_COUNT","variable-value":"5000","version":"1.2.0"}
2023-06-02T14:57:40.533414350Z {"caller":"flags/flag.go:113","message":"recognized and used environment variable","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","variable-name":"ETCD_TRUSTED_CA_FILE","variable-value":"/data/combinedca/cacertbundle.pem","version":"1.2.0"}
2023-06-02T14:57:40.533524832Z {"args":["/usr/local/bin/etcd"],"caller":"etcdmain/etcd.go:73","message":"Running: ","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.533+00:00","version":"1.2.0"}
2023-06-02T14:57:40.533607997Z {"caller":"etcdmain/etcd.go:446","data-dir":"/data","filename":"auth_successful","message":"found invalid file under data directory","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"warning","timestamp":"2023-06-02T14:57:40.533+00:00","version":"1.2.0"}
2023-06-02T14:57:40.533677042Z {"caller":"etcdmain/etcd.go:446","data-dir":"/data","filename":"cert_watcher.txt","message":"found invalid file under data directory","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"warning","timestamp":"2023-06-02T14:57:40.533+00:00","version":"1.2.0"}
2023-06-02T14:57:40.533825720Z {"caller":"etcdmain/etcd.go:446","data-dir":"/data","filename":"combinedca","message":"found invalid file under data directory","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"warning","timestamp":"2023-06-02T14:57:40.533+00:00","version":"1.2.0"}
2023-06-02T14:57:40.533895896Z {"caller":"etcdmain/etcd.go:446","data-dir":"/data","filename":"etcd.liveness","message":"found invalid file under data directory","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"warning","timestamp":"2023-06-02T14:57:40.533+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534042861Z {"caller":"etcdmain/etcd.go:446","data-dir":"/data","filename":"fixtures","message":"found invalid file under data directory","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"warning","timestamp":"2023-06-02T14:57:40.533+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534098248Z {"caller":"etcdmain/etcd.go:446","data-dir":"/data","filename":"lost+found","message":"found invalid file under data directory","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"warning","timestamp":"2023-06-02T14:57:40.534+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534163014Z {"caller":"etcdmain/etcd.go:116","data-dir":"/data","dir-type":"member","message":"server has been already initialized","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.534+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534209953Z {"caller":"embed/etcd.go:124","listen-peer-urls":["https://0.0.0.0:2380"],"message":"configuring peer listeners","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.534+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534339542Z {"caller":"embed/etcd.go:484","cipher-suites":[],"message":"starting with peer TLS","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.534+00:00","tls-info":"cert = /data/fixtures/peer/cert.pem, key = /data/fixtures/peer/key.pem, client-cert=/data/fixtures/peer/cert.pem, client-key=/data/fixtures/peer/key.pem, trusted-ca = , client-cert-auth = false, crl-file = ","version":"1.2.0"}
2023-06-02T14:57:40.534429623Z {"advertise-client-urls":["https://etcd-0.etcd.spider3:2379"],"advertise-peer-urls":["https://etcd-0.etcd-peer.spider3.svc.cluster.local:2380"],"caller":"embed/etcd.go:373","data-dir":"/data","message":"closing etcd server","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"name":"etcd-0","service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.534+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534508748Z {"advertise-client-urls":["https://etcd-0.etcd.spider3:2379"],"advertise-peer-urls":["https://etcd-0.etcd-peer.spider3.svc.cluster.local:2380"],"caller":"embed/etcd.go:375","data-dir":"/data","message":"closed etcd server","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"name":"etcd-0","service_id":"etcd","severity":"info","timestamp":"2023-06-02T14:57:40.534+00:00","version":"1.2.0"}
2023-06-02T14:57:40.534567414Z {"caller":"etcdmain/etcd.go:204","error":"tls: failed to find any PEM data in key input","message":"discovery failed","metadata":{"container_name":"etcd","namespace":"spider3","pod_name":"etcd-0"},"service_id":"etcd","severity":"critical","stacktrace":"go.etcd.io/etcd/server/v3/etcdmain.startEtcdOrProxyV2\n\tgo.etcd.io/etcd/server/v3/etcdmain/etcd.go:204\ngo.etcd.io/etcd/server/v3/etcdmain.Main\n\tgo.etcd.io/etcd/server/v3/etcdmain/main.go:40\nmain.main\n\tgo.etcd.io/etcd/server/v3/main.go:32\nruntime.main\n\truntime/proc.go:255","timestamp":"2023-06-02T14:57:40.534+00:00","version":"1.2.0"}

IamSatyaonline · 2023-06-06T10:22:01Z

IamSatyaonline
Jun 6, 2023
Author

Hi @ahrtr
ETCD service is not getting up and failing with error 'tls: failed to find any PEM data in key input'. Could you please help us here to resolve this issue. It's intermittent issue.

Thanks and Regards,
Satya

0 replies

tjungblu · 2023-06-06T16:35:54Z

tjungblu
Jun 6, 2023
Collaborator

failed to find any PEM data in key input

I'd recommend that you check that your PEM files all can be properly loaded. You can also use openssl for that, it should give similar error messages.

4 replies

jmhbnz Jun 6, 2023
Maintainer

Hey @IamSatyaonline - Please start by verifying certificates on disk as mentioned above, something like openssl x509 -in cert.pem -text -noout should work.

IamSatyaonline Jun 7, 2023
Author

Hi @jmhbnz
We have checked this key.pem file which is having incorrect or incomplete data. But it's difficult to run openssl command now on our deployment.
ETCD uses the key file /data/fixtures/peer/key.pem which is the self sign certificate files and ETCD internally create it. May i know what is the reason of having this file incomplete or corrupted ?

Thanks,
Satya

jmhbnz Jun 7, 2023
Maintainer

Hey @IamSatyaonline - Thanks for narrowing it down to the file corruption. There are a ton of reasons why a file on a disk can become corrupted.

My next question would be, can you replicate the issue? If you can, then please update this discussion with a detailed breakdown of what steps you took to arrive at a corrupted certificate file.

IamSatyaonline Jun 7, 2023
Author

Hi @jmhbnz
The issue is rarely reproducible. As per our analysis the self sign certificates which is being used for peer certificates was having incomplete data in key.pem file. As we have the flag Auto_TLS as below which is true in our deployment to enable the use of self sign certificates for peer communication.
PEER_AUTO_TLS_ENABLED=true
ETCD_PEER_AUTO_TLS=true

Thanks,
Satya

IamSatyaonline · 2023-08-25T13:48:52Z

IamSatyaonline
Aug 25, 2023
Author

Hi @jmhbnz
We are again able to see this issue in our deployment wherever we are using ETCD-3.5.5. Below is the error for the same.
2023-08-25T06:28:41.609066688Z {"caller":"etcdmain/etcd.go:204","error":"tls: failed to find any PEM data in key input","message":"discovery failed","metadata":{"container_name":"etcd","namespace":"staging1","pod_name":"etcd-0"},"service_id":"etcd","severity":"critical","stacktrace":"go.etcd.io/etcd/server/v3/etcdmain.startEtcdOrProxyV2\n\tgo.etcd.io/etcd/server/v3/etcdmain/etcd.go:204\ngo.etcd.io/etcd/server/v3/etcdmain.Main\n\tgo.etcd.io/etcd/server/v3/etcdmain/main.go:40\nmain.main\n\tgo.etcd.io/etcd/server/v3/main.go:32\nruntime.main\n\truntime/proc.go:255","timestamp":"2023-08-25T06:28:41.609+00:00","version":"1.2.0"}

This issue is coming 2 times out of 10.
Could you please help us to fix this issue ?

Thanks,
Satya

10 replies

IamSatyaonline Sep 19, 2023
Author

#Hi @jmhbnz
We are deploying ETCD with 3 replicas in TLS enabled mode. We have seen this issue 3 times in 10 deployments.
Below is the details of ETCD :


$ etcd --version
etcd Version: 3.5.3
Git SHA: 0452feec7
Go Version: go1.16.15
Go OS/Arch: linux/amd64
$ etcdctl version
etcdctl version: 3.5.3
API version: 3.5

Below is the env variables we are using in our environment.


BOOTSTRAP_ENABLED=false
VALID_PARAMETERS=valid
ETCD_INITIAL_CLUSTER_TOKEN=etcd
TLS_ENABLED=true
ETCD_MAX_SNAPSHOTS=3
CLIENT_PORTS=2379
TZ=UTC
HOSTNAME=etcd-1
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_HEARTBEAT_INTERVAL=100
ETCD_AUTO_COMPACTION_RETENTION=100
DISARM_ALARM_PEER_INTERVAL=6
ETCD_TRUSTED_CA_FILE=/data/combinedca/cacertbundle.pem
PEER_CERT_AUTH_ENABLED=true
MONITOR_ALARM_INTERVAL=5
TRUSTED_CA=/data/combinedca/cacertbundle.pem
PEER_CLIENTS_CERTS=/run/sec/certs/peer/srvcert.pem
ETCDCTL_CERT=/run/sec/certs/client/clicert.pem
DEFRAGMENT_ENABLE=true
ENTRYPOINT_DCED_PROCESS_INTERVAL=5
ETCD_LOG_LEVEL=debug
ENTRYPOINT_CHECKSNUMBER=60
PWD=/
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
HOME=/home/dced
ETCD_AUTO_COMPACTION_MODE=revision
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP_PORT=443
ETCD_DEBUG=false
PEER_AUTO_TLS_ENABLED=true
ETCD_CERT_FILE=/run/sec/certs/server/srvcert.pem
ETCD_FIFO_DIR=/fifo
ETCD_PEER_AUTO_TLS=true
DEFRAGMENT_PERIODIC_INTERVAL=60
COMPONENT=etcd
ETCD_DATA_DIR=/data
ETCD_LOG_PACKAGE_LEVELS=etcdserver=INFO,security=INFO
ETCD_CLIENT_CERT_AUTH=true
TERM=xterm
ETCDCTL_ENDPOINTS=etcd.ztissan:2379
ETCD_METRICS=basic
PEER_CLIENT_KEY_FILE=/run/sec/certs/peer/srvprivkey.pem
GODEBUG=tls13=1
ETCDCTL_API=3
ETCD_SNAPSHOT_COUNT=5000
ETCD_MAX_WALS=3
SHLVL=1
KUBERNETES_SERVICE_PORT=443
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://etcd-1.etcd-peer.ztissan.svc.cluster.local:2380
ETCD_KEY_FILE=/run/sec/certs/server/srvprivkey.pem
ETCD_ENABLE_V2=false
ETCD_ELECTION_TIMEOUT=1000
ETCDCTL_CACERT=/data/combinedca/cacertbundle.pem
ETCD_NAME=etcd-1
ETCD_QUOTA_BACKEND_BYTES=268435456
ENTRYPOINT_PIPE_TIMEOUT=5
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ETCD_ADVERTISE_CLIENT_URLS=https://etcd-1.etcd.ztissan:2379
KUBERNETES_SERVICE_HOST=0.0.0.0
FLAVOUR=etcd-v3.5.3-linux-amd64
ETCDCTL_KEY=/run/

The issue is rarely reproducible. As per our investigation the self sign certificates which is being used for peer communication is having incomplete data in key.pem file. which is causing this issue. So We came to the conclusion that if we use the CA signed peer certificates instead of self sign peer certificates , this issue would get fixed.
As There is the ETCD flag Auto_TLS as below which is used to turn off/on the use of self sign certificates for peer communication.
PEER_AUTO_TLS_ENABLED=true
ETCD_PEER_AUTO_TLS=true

Could you please confirm if that is the correct and valid fix ?

Thanks,
Satya

tjungblu Sep 19, 2023
Collaborator

I think you guys have some faulty hardware at play, it seems highly unlikely that 3/10 certs would come out half-way corrupted. Can you run etcd on another server?

IamSatyaonline Oct 11, 2023
Author

Hi @tjungblu
We could see this issue on another deployment. Seems it's not the hardware specific issue. Could you please share your thoughts here.

Thanks,
Satya

IamSatyaonline Oct 12, 2023
Author

Hi @ahrtr
Could you please help us to find the root cause of this issue. We have seen this issue in another deployment and we think that it's not the hardware specific issue. Do you see that it's hardware issue ?

Thanks,
Satya

IamSatyaonline Nov 7, 2023
Author

Hi,
We could see this issue again on our deployment. Seems it's not the hardware specific issue. Could you please share your thoughts here.

Thanks,
Satya

IamSatyaonline · 2024-02-07T08:21:42Z

IamSatyaonline
Feb 7, 2024
Author

Hi,
This issue is frequently coming in ETCD-3.5.x releases. Could you please help us here and share your thoughts here.

Thanks,
Satya

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to start ETCD and failing with error 'tls: failed to find any PEM data in key input' #16024

{{title}}

paste your configuration here

Replies: 4 comments 14 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Unable to start ETCD and failing with error 'tls: failed to find any PEM data in key input' #16024

IamSatyaonline Jun 6, 2023

Bug report criteria

What happened?

What did you expect to happen?

How can we reproduce it (as minimally and precisely as possible)?

Anything else we need to know?

Etcd version (please run commands below)

Etcd configuration (command line flags or environment variables)

paste your configuration here

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

Relevant log output

Replies: 4 comments · 14 replies

IamSatyaonline Jun 6, 2023 Author

tjungblu Jun 6, 2023 Collaborator

jmhbnz Jun 6, 2023 Maintainer

IamSatyaonline Jun 7, 2023 Author

jmhbnz Jun 7, 2023 Maintainer

IamSatyaonline Jun 7, 2023 Author

IamSatyaonline Aug 25, 2023 Author

IamSatyaonline Sep 19, 2023 Author

tjungblu Sep 19, 2023 Collaborator

IamSatyaonline Oct 11, 2023 Author

IamSatyaonline Oct 12, 2023 Author

IamSatyaonline Nov 7, 2023 Author

IamSatyaonline Feb 7, 2024 Author

IamSatyaonline
Jun 6, 2023

Replies: 4 comments 14 replies

IamSatyaonline
Jun 6, 2023
Author

tjungblu
Jun 6, 2023
Collaborator

jmhbnz Jun 6, 2023
Maintainer

IamSatyaonline Jun 7, 2023
Author

jmhbnz Jun 7, 2023
Maintainer

IamSatyaonline Jun 7, 2023
Author

IamSatyaonline
Aug 25, 2023
Author

IamSatyaonline Sep 19, 2023
Author

tjungblu Sep 19, 2023
Collaborator

IamSatyaonline Oct 11, 2023
Author

IamSatyaonline Oct 12, 2023
Author

IamSatyaonline Nov 7, 2023
Author

IamSatyaonline
Feb 7, 2024
Author