Skip to content

[yugabyted] Cannot start YugabyteDB webserver with TLS using --secure flag #29525

New issue
New issue
Open
Open
[yugabyted] Cannot start YugabyteDB webserver with TLS using --secure flag#29525
Labels
area/ecosystemLabel for all ecosystem related projectsarea/ybdyugabyted project related Github tickets.kind/enhancementThis is an enhancement of an existing featurepriority/mediumMedium priority issuestatus/awaiting-triageIssue awaiting triage
@pasquale95

Description

@pasquale95
pasquale95
opened on Nov 28, 2025

Jira Link: DB-19341

Description

Hi,
I'm experiencing the following issue when trying to use yugabyted to start a Yugabyte DB on my machine. I have tried both on macOS and Linux, the result is the same.
If I run the following command:

bin/yugabyted start
--base_dir /var/data
--advertise_address localhost
--master_flags rpc_bind_addresses=0.0.0.0:7100,webserver_interface=0.0.0.0,minloglevel=0,stderrthreshold=0,allow_insecure_connections=false,use_client_to_server_encryption=true,use_node_to_node_encryption=true,webserver_ca_certificate_file=/var/tls/ca.crt,webserver_certificate_file=/var/tls/node.localhost.crt,webserver_private_key_file=/var/tls/node.localhost.key,webserver_redirect_http_to_https=true
--master_webserver_port 7001
--master_rpc_port 7100
--tserver_webserver_port 9000
--tserver_rpc_port 9100
--tserver_flags pgsql_proxy_bind_address=0.0.0.0:5435,cql_proxy_bind_address=0.0.0.0:9042,redis_proxy_bind_address=0.0.0.0:6379,rpc_bind_addresses=0.0.0.0:9100,webserver_interface=0.0.0.0,webserver_port=9000,pgsql_proxy_webserver_port=13000,cql_proxy_webserver_port=12000,redis_proxy_webserver_port=11000,minloglevel=0,stderrthreshold=0,allow_insecure_connections=false,use_client_to_server_encryption=true,use_node_to_node_encryption=true,webserver_ca_certificate_file=/var/tls/ca.crt,webserver_certificate_file=/var/tls/node.localhost.crt,webserver_private_key_file=/var/tls/node.localhost.key,webserver_redirect_http_to_https=true
--ysql_port 5435
--ycql_port 9042
--callhome false
--fault_tolerance none
--background false
--initial_scripts_dir /var/ybinit
--certs_dir /var/tls
--secure

I get the error:

[yugabyted start] 2025-11-27 17:06:29,146 ERROR:  | 48.0s | Other error occurred while checking for security of leader master: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>

The error happens because yugabyted polls an HTTP URL (see here) even if I run the master with the flags:

webserver_ca_certificate_file=/var/tls/ca.crt,webserver_certificate_file=/var/tls/node.localhost.crt,webserver_private_key_file=/var/tls/node.localhost.key,webserver_redirect_http_to_https=true

If I remove the --secure flag, yugabyted hangs for some time and eventually fails.

Does this mean that I cannot run yugabyted enabling TLS also on the webserver interface?

Warning: Please confirm that this issue does not contain any sensitive information

  • I confirm this issue does not contain any sensitive information.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ecosystemLabel for all ecosystem related projectsarea/ybdyugabyted project related Github tickets.kind/enhancementThis is an enhancement of an existing featurepriority/mediumMedium priority issuestatus/awaiting-triageIssue awaiting triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions