Troubleshoot the failed reaching server error
The message Failed reaching server: last connection error can often result from an expired TLS certificate or during the Server startup process, in which the Client requests reach the Server before the roles are fully initialized.
This troubleshooting guide shows you how to do the following:
- Verify the certification expiration date
- Renew the certification
- Update the server configuration
Verify TLS certification expiration date
The first step in troubleshooting this error is to verify the expiration date of the TLS certification. Then you can renew the certification and update the server configuration.
Choose one of the following methods to verify the expiration date of the TLS certification:
Verify the expiration date of the TLS certification
List the expiration date with the following command:
tcld namespace accepted-client-ca list --namespace <namespace_name> | jq -r '.[0].notAfter'
If the returned date is in the past, the certificate has expired.
Existing certificate management infrastructure
If you are using an existing certificate management infrastructure, use it to verify the TLS connection. For example, if you are using OpenSSL, run the following command:
openssl s_client -connect <namespace_grpc_endpoint> -showcerts -cert ~/certs/path.pem -key .~/certs/path.key -tls1_2
Self-signed certificate
If you are using a self-signed certificate, run the following Temporal CLI command:
temporal namespace describe --namespace <namespace_id> --address <namespace_grpc_endpoint> --tls-cert-path <path-to-mTLS-pem-file> --tls-key-path <path-to-mTLS-key-file>
Your Namespace gRPC endpoint is available on the details page for your Temporal Cloud Namespace.
Renew TLS certification
If the certificate has expired or is about to expire, the next step is to renew it.
You can do this by contacting the certificate authority (CA) that issued the certificate and requesting a renewal.
Existing certificate management infrastructure
If you are using an existing certificate management infrastructure, contact the administrator of the infrastructure to renew the certificate.
Self-signed certificate
If you are using a self-signed certificate or don't have an existing infrastructure, you can generate a new certificate using OpenSSL or certstrap.
For information on generating a self-signed certificate, see Control authorization.
Update the CA certification in the server configuration
Update the new CA certificate in the Temporal Cloud server configuration.
You can update certificates using any of the following methods:
After you update the TLS certification in the server configuration, retry your connection.
Set reminders
Don't let your certificates expire. Add reminders to your calendar to issue new CA certificates well before the expiration dates of the existing ones.
Additional resources
The preceding steps should help you troubleshoot the failed reaching server: last connection error error caused by an expired TLS certificate.
If this issue persists, verify that the Client you are using to connect to the server is using the correct TLS certification and that the Client requests reach the server after the roles are fully initialized. If you still need help, create a support ticket.