Keto CLI TLS issues

[dmitry-exposure]

Hi, I am starting out with Keto and can't seem to get TLS to work. It's probably me doing something wrong so would appreciate any suggestions.

I am on MacOS and got keto v0.14.0 via Homebrew tap as per documentation.

I have generated certificate and key with:

openssl req -x509 -newkey rsa:2048 -nodes \
  -keyout ory.key \
  -out ory.crt \
  -days 365 \
  -subj "/CN=localhost"

I then run it with: keto serve -c keto.yml. Here is my keto.yml:

dsn: memory

namespaces:
  - id: 1
    name: member

serve:
  read:
    host: 127.0.0.1
    port: 4466
    tls:
      cert:
        path: ./ory.crt
      key:
        path: ./ory.key

  write:
    host: 127.0.0.1
    port: 4467
    tls:
      cert:
        path: ./ory.crt
      key:
        path: ./ory.key

It seems to be running fine. But no matter what i do I always get the TLS error:

# keto status --read-remote localhost:4466
Unable to get a check response: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: EOF"

It does work without transport security:

# keto status --read-remote localhost:4466 --insecure-disable-transport-security
SERVING

There must be something obvious that I'm missing.

[vinckr]

Hello @dmitry-exposure

Some tips that might help with debugging:

The error you see (transport: authentication handshake failed: EOF) typically means the client (in this case, the keto CLI) is trying to connect without using TLS, while the server expects a TLS handshake.

Make sure you are using https:// in your client commands. For example: keto status --read-remote https://localhost:4466 If you use localhost:4466 without the https:// scheme, the client may default to plain HTTP, causing the handshake to fail.

Looking at your last command it confirms that server is running, but the client and server are not agreeing on the protocol when TLS is enabled.

Double-check that the certificate and key files are readable by the Keto process and that their paths are correct.