Error "selfSignedCertValidity is invalid..." in 3.5.0 when enabling auto-tls

[rafariossaa]

Hi,
Maybe I this is not a real issue and I am missing something. I read the docs but I could not find if I am missing something on this.

When I enabled peer-transport-security.auto-tls in the sample config file I got this message: "selfSignedCertValidity is invalid,it should be greater than 0" but this doesn't happen when doing the same in 3.4.16.

This is what I did:

• I downloaded and untar the files:

https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
https://github.com/etcd-io/etcd/releases/download/v3.4.16/etcd-v3.4.16-linux-amd64.tar.gz

• Run etcd 3.4.16:

$ cd etcd-v3.4.16-linux-amd64
$ wget https://raw.githubusercontent.com/etcd-io/etcd/release-3.4/etcd.conf.yml.sample -O etcd.conf.yml.sample_34

$ cp etcd.conf.yml.sample_34 etcd.conf.yml

... edited the file etcd.conf.yaml to enable auto-tls ...

$ diff etcd.conf.yml etcd.conf.yml.sample_34
126c126
<   auto-tls: true
---
>   auto-tls: false


$ ./etcd --version
etcd Version: 3.4.16
Git SHA: d19fbe541
Go Version: go1.12.17
Go OS/Arch: linux/amd64

$ ./etcd --config-file etcd.conf.yml 
{"level":"info","ts":"2021-07-22T12:00:25.125+0200","caller":"etcdmain/config.go:308","msg":"loaded server configuration, other configuration command line flags and environment variables will be ignored if provided","path":"etcd.conf.yml"}
{"level":"warn","ts":"2021-07-22T12:00:25.126+0200","caller":"etcdmain/etcd.go:119","msg":"'data-dir' was empty; using default","data-dir":"default.etcd"}
{"level":"info","ts":"2021-07-22T12:00:25.126+0200","caller":"embed/etcd.go:117","msg":"configuring peer listeners","listen-peer-urls":["http://localhost:2380"]}
{"level":"info","ts":"2021-07-22T12:00:25.161+0200","caller":"transport/listener.go:207","msg":"created cert file","path":"default.etcd/fixtures/peer/cert.pem"}
{"level":"info","ts":"2021-07-22T12:00:25.161+0200","caller":"transport/listener.go:228","msg":"created key file","path":"default.etcd/fixtures/peer/key.pem"}
{"level":"info","ts":"2021-07-22T12:00:25.161+0200","caller":"embed/etcd.go:469","msg":"starting with peer TLS","tls-info":"cert = default.etcd/fixtures/peer/cert.pem, key = default.etcd/fixtures/peer/key.pem, trusted-ca = , client-cert-auth = false, crl-file = ","cipher-suites":[]}
{"level":"warn","ts":"2021-07-22T12:00:25.161+0200","caller":"embed/etcd.go:506","msg":"scheme is HTTP while key and cert files are present; ignoring key and cert files","peer-url":"http://localhost:2380"}
{"level":"info","ts":"2021-07-22T12:00:25.161+0200","caller":"embed/etcd.go:127","msg":"configuring client listeners","listen-client-urls":["http://localhost:2379"]}
{"level":"info","ts":"2021-07-22T12:00:25.161+0200","caller":"embed/etcd.go:606","msg":"pprof is enabled","path":"/debug/pprof"}
{"level":"info","ts":"2021-07-22T12:00:25.162+0200","caller":"embed/etcd.go:303","msg":"starting an etcd server","etcd-version":"3.4.16","git-sha":"d19fbe541","go-version":"go1.12.17","go-os":"linux","go-arch":"amd64","max-cpu-set":12,"max-cpu-available":12,"member-initialized":false,"name":"default","data-dir":"default.etcd","wal-dir":"","wal-dir-dedicated":"","member-dir":"default.etcd/member","force-new-cluster":false,"heartbeat-interval":"100ms","election-timeout":"1s","initial-election-tick-advance":true,"snapshot-count":10000,"snapshot-catchup-entries":5000,"initial-advertise-peer-urls":["http://localhost:2380"],"listen-peer-urls":["http://localhost:2380"],"advertise-client-urls":["http://localhost:2379"],"listen-client-urls":["http://localhost:2379"],"listen-metrics-urls":[],"cors":["*"],"host-whitelist":["*"],"initial-cluster":"default=http://localhost:2380","initial-cluster-state":"new","initial-cluster-token":"etcd-cluster","quota-size-bytes":2147483648,"pre-vote":false,"initial-corrupt-check":false,"corrupt-check-time-interval":"0s","auto-compaction-mode":"periodic","auto-compaction-retention":"1h0m0s","auto-compaction-interval":"1h0m0s","discovery-url":"","discovery-proxy":""}
{"level":"info","ts":"2021-07-22T12:00:25.168+0200","caller":"etcdserver/backend.go:80","msg":"opened backend db","path":"default.etcd/member/snap/db","took":"5.92221ms"}
{"level":"info","ts":"2021-07-22T12:00:25.191+0200","caller":"etcdserver/raft.go:486","msg":"starting local member","local-member-id":"8e9e05c52164694d","cluster-id":"cdf818194e3a8c32"}
{"level":"info","ts":"2021-07-22T12:00:25.191+0200","caller":"raft/raft.go:1530","msg":"8e9e05c52164694d switched to configuration voters=()"}
{"level":"info","ts":"2021-07-22T12:00:25.191+0200","caller":"raft/raft.go:700","msg":"8e9e05c52164694d became follower at term 0"}
{"level":"info","ts":"2021-07-22T12:00:25.191+0200","caller":"raft/raft.go:383","msg":"newRaft 8e9e05c52164694d [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]"}
{"level":"info","ts":"2021-07-22T12:00:25.191+0200","caller":"raft/raft.go:700","msg":"8e9e05c52164694d became follower at term 1"}
{"level":"info","ts":"2021-07-22T12:00:25.191+0200","caller":"raft/raft.go:1530","msg":"8e9e05c52164694d switched to configuration voters=(10276657743932975437)"}
{"level":"warn","ts":"2021-07-22T12:00:25.198+0200","caller":"auth/store.go:1366","msg":"simple token is not cryptographically signed"}
{"level":"info","ts":"2021-07-22T12:00:25.208+0200","caller":"etcdserver/quota.go:98","msg":"enabled backend quota with default value","quota-name":"v3-applier","quota-size-bytes":2147483648,"quota-size":"2.1 GB"}
{"level":"info","ts":"2021-07-22T12:00:25.264+0200","caller":"etcdserver/server.go:803","msg":"starting etcd server","local-member-id":"8e9e05c52164694d","local-server-version":"3.4.16","cluster-version":"to_be_decided"}
{"level":"info","ts":"2021-07-22T12:00:25.265+0200","caller":"etcdserver/server.go:669","msg":"started as single-node; fast-forwarding election ticks","local-member-id":"8e9e05c52164694d","forward-ticks":9,"forward-duration":"900ms","election-ticks":10,"election-timeout":"1s"}
{"level":"info","ts":"2021-07-22T12:00:25.266+0200","caller":"raft/raft.go:1530","msg":"8e9e05c52164694d switched to configuration voters=(10276657743932975437)"}
{"level":"info","ts":"2021-07-22T12:00:25.266+0200","caller":"membership/cluster.go:392","msg":"added member","cluster-id":"cdf818194e3a8c32","local-member-id":"8e9e05c52164694d","added-peer-id":"8e9e05c52164694d","added-peer-peer-urls":["http://localhost:2380"]}
{"level":"info","ts":"2021-07-22T12:00:25.282+0200","caller":"embed/etcd.go:580","msg":"serving peer traffic","address":"127.0.0.1:2380"}
{"level":"info","ts":"2021-07-22T12:00:25.282+0200","caller":"embed/etcd.go:245","msg":"now serving peer/client/metrics","local-member-id":"8e9e05c52164694d","initial-advertise-peer-urls":["http://localhost:2380"],"listen-peer-urls":["http://localhost:2380"],"advertise-client-urls":["http://localhost:2379"],"listen-client-urls":["http://localhost:2379"],"listen-metrics-urls":[]}
{"level":"info","ts":"2021-07-22T12:00:25.391+0200","caller":"raft/raft.go:923","msg":"8e9e05c52164694d is starting a new election at term 1"}
{"level":"info","ts":"2021-07-22T12:00:25.391+0200","caller":"raft/raft.go:713","msg":"8e9e05c52164694d became candidate at term 2"}
{"level":"info","ts":"2021-07-22T12:00:25.392+0200","caller":"raft/raft.go:824","msg":"8e9e05c52164694d received MsgVoteResp from 8e9e05c52164694d at term 2"}
{"level":"info","ts":"2021-07-22T12:00:25.392+0200","caller":"raft/raft.go:765","msg":"8e9e05c52164694d became leader at term 2"}
{"level":"info","ts":"2021-07-22T12:00:25.392+0200","caller":"raft/node.go:325","msg":"raft.node: 8e9e05c52164694d elected leader 8e9e05c52164694d at term 2"}
{"level":"info","ts":"2021-07-22T12:00:25.392+0200","caller":"etcdserver/server.go:2528","msg":"setting up initial cluster version","cluster-version":"3.4"}
{"level":"info","ts":"2021-07-22T12:00:25.395+0200","caller":"membership/cluster.go:558","msg":"set initial cluster version","cluster-id":"cdf818194e3a8c32","local-member-id":"8e9e05c52164694d","cluster-version":"3.4"}
{"level":"info","ts":"2021-07-22T12:00:25.395+0200","caller":"api/capability.go:76","msg":"enabled capabilities for version","cluster-version":"3.4"}
{"level":"info","ts":"2021-07-22T12:00:25.395+0200","caller":"etcdserver/server.go:2037","msg":"published local member to cluster through raft","local-member-id":"8e9e05c52164694d","local-member-attributes":"{Name:default ClientURLs:[http://localhost:2379]}","request-path":"/0/members/8e9e05c52164694d/attributes","cluster-id":"cdf818194e3a8c32","publish-timeout":"7s"}
{"level":"info","ts":"2021-07-22T12:00:25.395+0200","caller":"etcdserver/server.go:2560","msg":"cluster version is updated","cluster-version":"3.4"}
{"level":"info","ts":"2021-07-22T12:00:25.397+0200","caller":"embed/serve.go:139","msg":"serving client traffic insecurely; this is strongly discouraged!","address":"127.0.0.1:2379"}

I got the server up and running without issues.
Stopped it.

• Run etcd 3.5.0:

$ cd etcd-v3.5.0-linux-amd64
$ wget https://raw.githubusercontent.com/etcd-io/etcd/release-3.5/etcd.conf.yml.sample -O etcd.conf.yml.sample_35
$ cp etcd.conf.yml.sample_35 etcd.conf.yml 

... edited the file etcd.conf.yaml to enable auto-tls ...

$ diff etcd.conf.yml etcd.conf.yml.sample_35 
126c126
<   auto-tls: true
---
>   auto-tls: false


$ ./etcd --version
etcd Version: 3.5.0
Git SHA: 946a5a6f2
Go Version: go1.16.3
Go OS/Arch: linux/amd64

$ ./etcd --config-file etcd.conf.yml 
{"level":"info","ts":"2021-07-22T12:03:56.862+0200","caller":"etcdmain/config.go:337","msg":"loaded server configuration, other configuration command line flags and environment variables will be ignored if provided","path":"etcd.conf.yml"}
{"level":"info","ts":"2021-07-22T12:03:56.863+0200","caller":"etcdmain/etcd.go:72","msg":"Running: ","args":["./etcd","--config-file","etcd.conf.yml"]}
{"level":"warn","ts":"2021-07-22T12:03:56.863+0200","caller":"etcdmain/etcd.go:104","msg":"'data-dir' was empty; using default","data-dir":"default.etcd"}
{"level":"info","ts":"2021-07-22T12:03:56.863+0200","caller":"embed/etcd.go:131","msg":"configuring peer listeners","listen-peer-urls":["http://localhost:2380"]}
{"level":"warn","ts":"2021-07-22T12:03:56.864+0200","caller":"transport/listener.go:189","msg":"cannot generate cert","error":"selfSignedCertValidity is invalid,it should be greater than 0"}
{"level":"fatal","ts":"2021-07-22T12:03:56.865+0200","caller":"embed/etcd.go:475","msg":"failed to get peer self-signed certs","error":"selfSignedCertValidity is invalid,it should be greater than 0","stacktrace":"go.etcd.io/etcd/server/v3/embed.configurePeerListeners\n\t/tmp/etcd-release-3.5.0/etcd/release/etcd/server/embed/etcd.go:475\ngo.etcd.io/etcd/server/v3/embed.StartEtcd\n\t/tmp/etcd-release-3.5.0/etcd/release/etcd/server/embed/etcd.go:135\ngo.etcd.io/etcd/server/v3/etcdmain.startEtcd\n\t/tmp/etcd-release-3.5.0/etcd/release/etcd/server/etcdmain/etcd.go:227\ngo.etcd.io/etcd/server/v3/etcdmain.startEtcdOrProxyV2\n\t/tmp/etcd-release-3.5.0/etcd/release/etcd/server/etcdmain/etcd.go:134\ngo.etcd.io/etcd/server/v3/etcdmain.Main\n\t/tmp/etcd-release-3.5.0/etcd/release/etcd/server/etcdmain/main.go:40\nmain.main\n\t/tmp/etcd-release-3.5.0/etcd/release/etcd/server/main.go:32\nruntime.main\n\t/home/remote/sbatsche/.gvm/gos/go1.16.3/src/runtime/proc.go:225"}

[spzala]

@rafariossaa thanks for reporting. Closing this issue per the discussion in the PR. You can continue going by setting the flag in the conf file. We will be backporting it. @tangcong thanks for the quick fix!

[rafariossaa]

@spzala Thanks !

[rafariossaa]

Any ETA for the backport ?