TLS issues are notoriously difficult to debug. I’m unaware of any shortcut here.
If I change TLS configuration here to
tls:
internode:
server:
requireClientAuth: true
certFile: /etc/temporal/config/certs/cluster/internode/cluster-internode.pem
keyFile: /etc/temporal/config/certs/cluster/internode/cluster-internode.key
clientCaFiles:
- /etc/temporal/config/certs/cluster/ca/server-intermediate-ca.pem
client:
serverName: internode.cluster-x.contoso.com
rootCaFiles:
- /etc/temporal/config/certs/cluster/ca/server-intermediate-ca.pem
frontend:
server:
requireClientAuth: true
certFile: /etc/temporal/config/certs/cluster/internode/cluster-internode.pem
keyFile: /etc/temporal/config/certs/cluster/internode/cluster-internode.key
clientCaFiles:
- /etc/temporal/config/certs/cluster/ca/server-intermediate-ca.pem
systemWorker:
certFile: /etc/temporal/config/certs/cluster/internode/cluster-internode.pem
keyFile: /etc/temporal/config/certs/cluster/internode/cluster-internode.key
client:
serverName: internode.cluster-x.contoso.com
rootCaFiles:
- /etc/temporal/config/certs/cluster/ca/server-intermediate-ca.pem
I’m able to start Temporal with bash start-temporal.sh (after generating certs with bash generate-cert.sh), and I see in the server log
"temporal-sys-history-scanner-workflow workflow successfully started","service":"worker","logging-call-at":"scanner.go:186"
If I remove the systemWorker: section, Temporal is failing to start with the following error in the log, as expected.
"error starting scanner","service":"worker","error":"context deadline exceeded","logging-call-at":"service.go:242"
That’s why I suggested above to add a systemWorker: section to your config.
I wonder what’s the delta between my config and yours. I’m not seeing any. Even if I add (unnecessary with systemWorker:) client: section within frontend:, Temporal still starts fine for me.