Ssl3_read_bytes:tlsv1 unrecognized name downloading {domain}/satispress/packages.json

trellis
1

Client machine: staging.alliancechemical.com
Server machine: alliancechemical.com

Getting this error message when trying to run composer install Task in Trellis. Deleting my composer.lock file then trying to manually run composer install --verbose on client gives the following error ouput:

[Composer\Downloader\TransportException]
  curl error 35 while downloading https://{mydomain}/satispress/packages.json: error:14094458:SSL routines:
  ssl3_read_bytes:tlsv1 unrecognized name

SSL Checker on the domain validates the SSL certificate on Server
Domain: alliancechemical.com
SSL Checker

Client’s composer.json has this satispress repo set up:

 "repositories": {
        "satispress": {
            "type": "composer",
            "url": "https://alliancechemical.com/satispress/"
        }

Credentials are in a auth.json file

{
    "http-basic": {
        "alliancechemical.com": {
            "username": "{API_KEY}",
            "password": "satispress"
        }
    }
}

Not sure what’s wrong here both client and server are provisioned with Trellis and I’ve also whitelisted the staging server’s IP address for bothh inbound TCP and UDP.

2

When everything appears to be correct connection-wise - maybe it is a DNS issue?

Similar issue (completely different thing, but same symptoms):

Or is SNI used with an outdated (incompatible) client?

3

Thanks for replying! I’ve been banging my head on this one. I deleted all my release and tried to redeploy and got the same error. Then I tried to just go into the staging server and run curl https://alliancechemical.com/satispress/packages.json and I got the same error. So now I’ve at least nailed it down to being an issue with curl. I can download the contents of that URL on my local machine too so the problem is specific to that staging server. I updated all my packages and rebooted the server and ssh’d back in and got the same error when trying to curl that url. Not sure where to go from here, I’ll read those docs you sent.

4

If this is a bug what would be my best method to resolve it? I’m running openssl 1.1.1f which when I try to update says it’s the latest version

5

:thinking: It is rather the curl package/command itself that has/uses an outdated SSL library.
What versions are listed on the system with the issue from curl --version?
Edit: As composer uses the PHP curl extension: Check in the phpinfo what OpenSSL version is used by the curl PHP extension.

6

Running curl --version outputs
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3 Release-Date: 2020-01-08 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

OpenSSL Version
OpenSSL 1.1.1f 31 Mar 2020

7

screenshot-staging.alliancechemical.com-2023.01.25-10_06_50
screenshot-staging.alliancechemical.com-2023.01.25-10_06_501920×938 38.3 KB

8

This can be an IPv4/IPv6 related issue.
dig alliancechemical.com: There are A and AAAA records.

9

screenshot-staging.alliancechemical.com-2023.01.25-10_09_06
screenshot-staging.alliancechemical.com-2023.01.25-10_09_061920×881 31 KB

10

Does HTTPS work over IPv4 and IPv6?
Is it the same server or different ones via IPv4 and IPv6?
Does it listen on both public IP addresses?

11 
; <<>> DiG 9.16.1-Ubuntu <<>> alliancechemical.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13864
;; flags: qr rd ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;alliancechemical.com.          IN      A

;; ANSWER SECTION:
alliancechemical.com.   0       IN      A       172.67.74.116
alliancechemical.com.   0       IN      A       104.26.8.168
alliancechemical.com.   0       IN      A       104.26.9.168

;; Query time: 30 msec
;; SERVER: 172.17.224.1#53(172.17.224.1)
;; WHEN: Wed Jan 25 10:09:48 CST 2023
;; MSG SIZE  rcvd: 106

staging.alliancechemical.com is set up on a different server than alliancechemical.com with a different IP address but both are on Digital Ocean

I also have firewall rules set up on alliancechemical.com server to accept inbound IP ranges from cloudflare and also from the staging server IP address for IPv4. Do you think this could be causing it?

12

screenshot-cloud.digitalocean.com-2023.01.25-10_16_04
screenshot-cloud.digitalocean.com-2023.01.25-10_16_041920×880 92.9 KB

13

Even doing curl -k https://alliancechemical.com/satispress/packages.json with -k flag returns th error:
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name

14

Try curl --ipv4 https://alliancechemical.com/satispress/packages.json, does this help?

Edit: Added the missing .json part to the command.

dig A alliancechemical.com results in this for me:

alliancechemical.com.   0       IN      A       172.67.74.116
alliancechemical.com.   0       IN      A       104.26.8.168
alliancechemical.com.   0       IN      A       104.26.9.168

and dig AAAA alliancechemical.com:

alliancechemical.com.   0       IN      AAAA    2606:4700:20::681a:8a8
alliancechemical.com.   0       IN      AAAA    2606:4700:20::ac43:4a74
alliancechemical.com.   0       IN      AAAA    2606:4700:20::681a:9a8

Hmm, CloudFlare is used in front of the server.

curl -L -H "Host: alliancechemical.com" 172.67.74.116 works for me, also for the other IPv4 addresses. Edit: This would let curl use HTTP instead of HTTPS, so not a very useful command…

Do you get the same results, or is there something wrong with e.g. the /etc/hosts file?

15

I’m getting the curl (35) error even when I curl https://alliancechemical.com from staging server. Here’s the results of the commands you did when I did them on staging server:

curl --ipv4 https://alliancechemical.com/satispress/packages.json
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name

dig A alliancechemical.com

; <<>> DiG 9.16.1-Ubuntu <<>> A alliancechemical.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;alliancechemical.com.          IN      A

;; ANSWER SECTION:
alliancechemical.com.   0       IN      A       127.0.1.1

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 25 16:46:07 UTC 2023
;; MSG SIZE  rcvd: 65

dig AAAA alliancechemical.com

; <<>> DiG 9.16.1-Ubuntu <<>> AAAA alliancechemical.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53198
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;alliancechemical.com.          IN      AAAA

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 25 16:46:25 UTC 2023
;; MSG SIZE  rcvd: 49

Hmm, CloudFlare is used in front of the server.

Yes Cloudflare is used in front of staging and produciton server and is proxied

16

Add --trace ./some-logfile to the curl command, this should also show the TLS/SSL handshake process and what goes wrong.
Alternative, openssl (client command) can be used for debugging the HTTPS connection (How to debug SSL handshake using cURL? - Stack Overflow).

17

:thinking: What if the HTTP server doesn’t listen on 127.0.0.1, but only on the public IP address(es)? This may result in an issue when connecting. But you noted that you have the same issue outside of the staging system, where the IP doesn’t resolve to 127.0.0.1, so this is probably not the explanation.

18

Result in log file of running curl --ipv4 --trace ./logfile https://alliancechemical.com/satispress/packages.json

== Info:   Trying 127.0.1.1:443...
== Info: TCP_NODELAY set
== Info: Connected to alliancechemical.com (127.0.1.1) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info:   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 02 00                                  .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: 01 00 01 fc 03 03 e0 45 ca cc 09 bd c7 ff 8c 40 .......E.......@
0010: e2 fd 99 53 62 5d 37 69 ea 3a 75 8d 34 43 d9 c3 ...Sb]7i.:u.4C..
0020: c4 b0 8c 8d ad 91 20 73 f4 69 4a e7 3a 7b da 41 ...... s.iJ.:{.A
0030: 8b 02 33 80 5e 2d f3 f3 64 c7 0a 8c d0 b5 e1 ed ..3.^-..d.......
0040: 20 cd 60 25 a7 53 f4 00 3e 13 02 13 03 13 01 c0  .`%.S..>.......
0050: 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 ,.0.........+./.
0060: 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 ..$.(.k.#.'.g...
0070: 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 ..9.....3.....=.
0080: 3c 00 35 00 2f 00 ff 01 00 01 75 00 00 00 19 00 <.5./.....u.....
0090: 17 00 00 14 61 6c 6c 69 61 6e 63 65 63 68 65 6d ....alliancechem
00a0: 69 63 61 6c 2e 63 6f 6d 00 0b 00 04 03 00 01 02 ical.com........
00b0: 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 ................
00c0: 33 74 00 00 00 10 00 0e 00 0c 02 68 32 08 68 74 3t.........h2.ht
00d0: 74 70 2f 31 2e 31 00 16 00 00 00 17 00 00 00 31 tp/1.1.........1
00e0: 00 00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07 .....*.(........
00f0: 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 ................
0100: 05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02 ................
0110: 00 2b 00 05 04 03 04 03 03 00 2d 00 02 01 01 00 .+........-.....
0120: 33 00 26 00 24 00 1d 00 20 ec 5b 59 80 6d 8a 65 3.&.$... .[Y.m.e
0130: b5 d0 14 9f bd 5b c2 34 ea 48 2b eb 1d bd f4 ee .....[.4.H+.....
0140: 4c f8 3f 0c 27 f6 ca 05 06 00 15 00 b3 00 00 00 L.?.'...........
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<= Recv SSL data, 5 bytes (0x5)
0000: 15 03 03 00 02                                  .....
== Info: TLSv1.3 (IN), TLS alert, unrecognized name (624):
<= Recv SSL data, 2 bytes (0x2)
0000: 02 70                                           .p
== Info: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name
== Info: Closing connection 0
19 
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 7a                                  ....z
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 122 bytes (0x7a)
0000: 02 00 00 76 03 03 1f 46 65 98 55 a4 4b 38 33 80 ...v...Fe.U.K83.

When I use curl I get a different handshake, which is valid.

In your case:

<= Recv SSL data, 5 bytes (0x5)
0000: 15 03 03 00 02

In my case:

<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 7a
20

Why would that be?

Here’s my hosts file

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 alliancechemical.com alliancechemical
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters