Ssl3_read_bytes:tlsv1 unrecognized name downloading {domain}/satispress/packages.json

Searching for these error yielded in a forum discussion that involved CloudFlare / SNI:

This looks like an incompatible or self-signed cert.

What certificate information do you get with openssl client?

openssl s_client -showcerts -connect alliancechemical.com:443

For me, grepping for subject:
openssl s_client -showcerts -connect alliancechemical.com:443 | grep "^subject"

subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com

openssl s_client -showcerts -connect alliancechemical.com:443

CONNECTED(00000003)
140459706877248:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1543:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

openssl s_client -showcerts -connect alliancechemical.com:443 | grep "^subject"

139960088417600:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1543:SSL alert number 112

Edit: CloudFlare minimum TLS version in CloudFlare dashboard:
https://community.cloudflare.com/t/ssl-issue-openssl/240175/9

Force curl to use a specific DNS server:

curl --dns-servers 8.8.8.8 https://alliancechemical.com/satispress/packages.json

The curl command on that system (Ubuntu for Trellis I guess) should support the --dns-servers option.

When I run that command I get a proper HTML response (an authentication required page), so HTTPS/TLS/SSL works fine on my system.

curl --dns-servers 8.8.8.8 https://alliancechemical.com/satispress/packages.json

curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name

The curl command on that system (Ubuntu for Trellis I guess) should support the --dns-servers option.

Yep, both staging and production servers, were provisioned with Trellis

Staging wordpress_sites.yml:

# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/staging/vault.yml

wordpress_sites:
  alliancechemical.com:
    site_hosts:
    - canonical: staging.alliancechemical.com
      redirects:
      - www.staging.alliancechemical.com
    local_path: ../site
    branch: master
    repo: git@github.com:DannyTaki/Alliance-Chemical.git
    repo_subtree_path: site
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: false

Production wordpress_sites.yml:

# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/production/vault.yml

wordpress_sites:
  alliancechemical.com:
    site_hosts:
    - canonical: alliancechemical.com
      redirects:
      - www.alliancechemical.com
    local_path: ../site
    branch: master
    repo: git@github.com:DannyTaki/Alliance-Chemical.git
    repo_subtree_path: site
    multisite:
      enabled: false
    ssl:
      enabled: true
      provider: letsencrypt
    cache:
      enabled: true
      skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml|/store.*|/cart.*|/my-account.*|/checkout.*|/addons.*
      skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_

And you get this error only on that system? Or also on your workstation? On other systems, too?

SSL checker tools like this one can connect to it correctly:

And you get this error only on that system? Or also on your workstation? On other systems, too?

No, on my work workstation, I can curl just fine and get the expected repsonse.

Does curl https://www.cloudflare.com/ work on that system (maybe it has something to do with CloudFlare CDN on that particular system)?

curl https://www.cloudflare.com/ works and outputs an html response it looks like

If I curl https://www.alliancechemical.com I get curl: (6) Could not resolve host: wwww.alliancechemical.com

When I use openssl client and connect to the CloudFlare IP without the hostname, I also get a TLS error:

openssl s_client -showcerts -connect 104.26.9.168:443

CONNECTED(00000005)
140358993184064:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Probably a typo (wwww). DNS should work as dig resolved to something.

This is what I get from curl --version on an Trellis/Ubuntu web server (where curl works with that URL):

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Do you get the same?

Are there apt updates for curl/libcurl or something curl related available?

No, I have openSSL/1.1.1f

curl --version

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Get a standalone curl binary (from Release v7.87.0 · moparisthebest/static-curl · GitHub):

cd /tmp
wget https://github.com/moparisthebest/static-curl/releases/download/v7.87.0/curl-amd64
chmod +x ./curl-amd64
./curl-amd64 https://alliancechemical.com/satispress/packages.json

Ran apt-get update and apt-get upgrade on staging. Now when I ran curl https://www.alliancechemical.com I got a response

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

But when running curl https://alliancechemical.com Still getting curl: (35) error..

Run the standalone curl binary (see above), also try wget.

Downloaded curl binary as you described, gave it execute privileges and tried to curl the endpoint and got the same error!

image1106×576 49 KB

Running wget https://alliancechemical.com/satispress/packages.json

--2023-01-25 17:47:54--  https://alliancechemical.com/satispress/packages.json
Resolving alliancechemical.com (alliancechemical.com)... 127.0.1.1
Connecting to alliancechemical.com (alliancechemical.com)|127.0.1.1|:443... connected.
OpenSSL: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name
Unable to establish SSL connection.