TLS Handshake error EOF

On a new influxdb cluster, no clients/data at this time, at a 1s interval we get a log message on meta nodes stating that there is a tls handshake error. ideally we’d like to identify the source of this and resolve it as this is just log noise that could make tracking a problem down harder in the future. i have seen the other topics here but they seemed related to metrics scraping and we havent enabled any of that yet.

ts=2025-10-15T19:19:43.560145Z lvl=info msg="InfluxDB Meta starting" log_id=0zbKs6n0000 version=v1.12.2 branch=unknown commit=fac18a92f29114aa2d6dd438edbe7b3ca0b81b16 tags=unknown
ts=2025-10-15T19:19:43.560164Z lvl=info msg="Go runtime" log_id=0zbKs6n0000 version=go1.23.8 maxprocs=128
ts=2025-10-15T19:19:43.560168Z lvl=info msg="Crypto implementation" log_id=0zbKs6n0000 implementation=Go fips=false
ts=2025-10-15T19:19:43.560170Z lvl=info msg="Crypto Power-On Self-Test (POST) available" log_id=0zbKs6n0000 available=false
ts=2025-10-15T19:19:43.560172Z lvl=info msg="Loading configuration file" log_id=0zbKs6n0000 path=/etc/influxdb/influxdb-meta.conf
ts=2025-10-15T19:19:43.560731Z lvl=info msg="Password hashing configuration: pbkdf2-sha512;rounds=29000;salt_len=16" log_id=0zbKs6n0001 service=metastore
ts=2025-10-15T19:19:43.560737Z lvl=info msg="Password hashing is FIPS-ready: true" log_id=0zbKs6n0001 service=metastore
ts=2025-10-15T19:19:43.561198Z lvl=info msg="Listening on TCP: [::]:8089" log_id=0zbKs6n0001 service=metastore
ts=2025-10-15T19:19:43.561422Z lvl=info msg="registering portal protocol listener" log_id=0zbKs6n0001 service=meta portal=raft protocol=7
ts=2025-10-15T19:19:43.561429Z lvl=info msg="starting direct protocol listener" log_id=0zbKs6n0001 service=meta portal=raft protocol=8
ts=2025-10-15T19:19:43.561472Z lvl=info msg="starting accept loop" log_id=0zbKs6n0001 service=meta portal=raft
ts=2025-10-15T19:19:43.561491Z lvl=info msg="Starting meta service" log_id=0zbKs6n0001 service=meta
ts=2025-10-15T19:19:43.561719Z lvl=info msg="Listening on HTTP" log_id=0zbKs6n0001 service=meta addr=[::]:8091 https=true
ts=2025-10-15T19:19:43.561749Z lvl=info msg="Using data dir" log_id=0zbKs6n0001 service=meta path=/var/lib/influxdb/meta
ts=2025-10-15T19:19:43.561836Z lvl=info msg="Reading InfluxDB Enterprise license locally" log_id=0zbKs6n0001 service=licensing path=/etc/influxdb/license.json
ts=2025-10-15T19:19:43.564634Z lvl=info msg="Node at influx-meta-0001.<redacted>.com:8089 [Follower]" log_id=0zbKs6n0001 service=meta
ts=2025-10-15T19:19:44.488903Z lvl=info msg="accept connection" log_id=0zbKs6n0001 service=meta portal=raft remote=10.0.54.202:35376
ts=2025-10-15T19:19:44.489086Z lvl=info msg="accept connection" log_id=0zbKs6n0001 service=meta portal=raft remote=10.0.54.202:35384
ts=2025-10-15T19:19:44.497110Z lvl=info msg="got mux connection" log_id=0zbKs6n0001 service=meta portal=raft remote=10.0.54.202:35384 protocol=7
ts=2025-10-15T19:19:44.497383Z lvl=info msg="Portal client connected" log_id=0zbKs6n0001 service=meta portal=raft remote=10.0.54.202:35384 protocol=7 ClientID=influx-meta-0003.<redacted>.com ProtocolVersion=1.0.0 ClientVersion=v1.12.2 ClientAgent=influxd-meta
ts=2025-10-15T19:19:44.499578Z lvl=info msg="got mux connection" log_id=0zbKs6n0001 service=meta portal=raft remote=10.0.54.202:35376 protocol=7
ts=2025-10-15T19:19:44.499756Z lvl=info msg="Portal client connected" log_id=0zbKs6n0001 service=meta portal=raft remote=10.0.54.202:35376 protocol=7 ClientID=influx-meta-0003.<redacted>.com ProtocolVersion=1.0.0 ClientVersion=v1.12.2 ClientAgent=influxd-meta
2025/10/15 19:19:44 http: TLS handshake error from 127.0.0.1:42356: EOF
2025/10/15 19:19:45 http: TLS handshake error from 127.0.0.1:34048: EOF
2025/10/15 19:19:46 http: TLS handshake error from 127.0.0.1:34058: EOF
2025/10/15 19:19:47 http: TLS handshake error from 127.0.0.1:34060: EOF
2025/10/15 19:19:48 http: TLS handshake error from 127.0.0.1:34062: EOF
2025/10/15 19:19:49 http: TLS handshake error from 127.0.0.1:34068: EOF
2025/10/15 19:19:50 http: TLS handshake error from 127.0.0.1:34076: EOF
2025/10/15 19:19:51 http: TLS handshake error from 127.0.0.1:34092: EOF
2025/10/15 19:19:52 http: TLS handshake error from 127.0.0.1:34098: EOF

we are running in docker containers with the following compose + config

compose

services:
  meta:
    image: docker.<redacted>.com/library/influxdb:1.12.2-meta-alpine
    container_name: influx-meta-0001
    hostname: influx-meta-0001.<redacted>.com
    volumes:
      - /opt/trinity/influxdb/meta-influx-meta-0001/influxdb.conf:/etc/influxdb/influxdb-meta.conf:ro
      - /opt/trinity/influxdb/meta-influx-meta-0001/license.json:/etc/influxdb/license.json:ro
      - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
      - /etc/pki/tls/private/influx-meta-0001_<redacted>_com.key:/etc/ssl/influx.key:ro
      - /etc/pki/tls/certs/influx-meta-0001_<redacted>_com.crt:/etc/ssl/influx.crt:ro
      - influx_meta_volume:/var/lib/influxdb
    cpus: 2
    mem_limit: 1g
    mem_reservation: 1g
    restart: on-failure
    ports:
      - "8089:8089"
      - "8091:8091"
    networks:
      opnet_macvlan_net:
        ipv4_address: 10.0.54.200
    command:

networks:
  opnet_macvlan_net:
      external: true        

volumes:
    influx_meta_volume:
      driver: local

config

reporting-disabled = true

[enterprise]
  registration-enabled = false
  registration-server-url = ""
  license-key = ""
  license-path = "/etc/influxdb/license.json"
  marketplace-env = ""

[meta]
  dir = "/var/lib/influxdb/meta"
  retention-autocreate = true
  logging-enabled = true
  bind-address = ":8089"
  auth-enabled = false
  auth-method = "all"
  ldap-allowed = false
  http-bind-address = ":8091"
  https-enabled = true
  https-certificate = "/etc/ssl/influx.crt"
  https-private-key = "/etc/ssl/influx.key"
  https-insecure-tls = false
  data-use-tls = true
  data-insecure-tls = false
  gossip-frequency = "5s"
  announcement-expiration = "30s"
  election-timeout = "1s"
  heartbeat-timeout = "1s"
  leader-lease-timeout = "500ms"
  consensus-timeout = "30s"
  commit-timeout = "50ms"
  cluster-tracing = false
  pprof-enabled = true
  lease-duration = "1m0s"
  shared-secret = ""
  internal-shared-secret = "<redacted>"
  password-hash = "pbkdf2-sha512"
  ensure-fips = false
  raft-portal-auth-required = true
  raft-dialer-auth-required = true

[logging]
  format = "auto"
  level = "info"
  suppress-logo = true

[tls]
  min-version = "1.2"
  max-version = ""

Not sure about this and wonder if @davidby-influx might have a suggestion.

@bmagistro - Since you are a paying customer, you should file a ticket through the support portal. If you don’t know how to do that, send an email to support@influxdata.com. You will get focused, private attention to assist you.

@bmagistro - just as a quick copy from some documentation:

On an Enterprise cluster with TLS enabled for internal communication behind the load balancer, you may see periodic errors logged similar to:

“http: TLS handshake error from x.x.x.x:8086: EOF”

Most of the time these are caused by TCP-level health checks from the load balancer where the connection is made and then closed immediately. AWS NLB type load balancers for example will do this. These errors can safely be ignored, but unfortunately cannot be suppressed as they are coming from the underlying http library.

If you are on AWS, this may apply:

If you add a TLS listener to your Network Load Balancer, we perform a listener connectivity test. As TLS termination also terminates a TCP connection, a new TCP connection is established between your load balancer and your targets. Therefore, you might see the TCP connections for this test sent from your load balancer to the targets that are registered with your TLS listener. You can identify these TCP connections because they have the source IP address of your Network Load Balancer and the connections do not contain data packets.

from Health checks for Network Load Balancer target groups - Elastic Load Balancing

At the time this was prior to us enabling/adding the load balancer…

In the logs, the source address appears to be 127.0.0.1 which should be the app running in the container itself nothing external to it?