Searching for these error yielded in a forum discussion that involved CloudFlare / SNI:
This looks like an incompatible or self-signed cert.
What certificate information do you get with openssl
client?
openssl s_client -showcerts -connect alliancechemical.com:443
For me, grepping for subject
:
openssl s_client -showcerts -connect alliancechemical.com:443 | grep "^subject"
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = sni.cloudflaressl.com
openssl s_client -showcerts -connect alliancechemical.com:443
CONNECTED(00000003)
140459706877248:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1543:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
openssl s_client -showcerts -connect alliancechemical.com:443 | grep "^subject"
139960088417600:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1543:SSL alert number 112
Edit: CloudFlare minimum TLS version in CloudFlare dashboard:
https://community.cloudflare.com/t/ssl-issue-openssl/240175/9
Force curl
to use a specific DNS server:
curl --dns-servers 8.8.8.8 https://alliancechemical.com/satispress/packages.json
The curl
command on that system (Ubuntu for Trellis I guess) should support the --dns-servers
option.
When I run that command I get a proper HTML response (an authentication required page), so HTTPS/TLS/SSL works fine on my system.
curl --dns-servers 8.8.8.8 https://alliancechemical.com/satispress/packages.json
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name
The curl command on that system (Ubuntu for Trellis I guess) should support the --dns-servers option.
Yep, both staging and production servers, were provisioned with Trellis
Staging wordpress_sites.yml:
# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/staging/vault.yml
wordpress_sites:
alliancechemical.com:
site_hosts:
- canonical: staging.alliancechemical.com
redirects:
- www.staging.alliancechemical.com
local_path: ../site
branch: master
repo: git@github.com:DannyTaki/Alliance-Chemical.git
repo_subtree_path: site
multisite:
enabled: false
ssl:
enabled: true
provider: letsencrypt
cache:
enabled: false
Production wordpress_sites.yml:
# Documentation: https://roots.io/trellis/docs/remote-server-setup/
# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
# Define accompanying passwords/secrets in group_vars/production/vault.yml
wordpress_sites:
alliancechemical.com:
site_hosts:
- canonical: alliancechemical.com
redirects:
- www.alliancechemical.com
local_path: ../site
branch: master
repo: git@github.com:DannyTaki/Alliance-Chemical.git
repo_subtree_path: site
multisite:
enabled: false
ssl:
enabled: true
provider: letsencrypt
cache:
enabled: true
skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml|/store.*|/cart.*|/my-account.*|/checkout.*|/addons.*
skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session_
And you get this error only on that system? Or also on your workstation? On other systems, too?
SSL checker tools like this one can connect to it correctly:
And you get this error only on that system? Or also on your workstation? On other systems, too?
No, on my work workstation, I can curl just fine and get the expected repsonse.
Does curl https://www.cloudflare.com/
work on that system (maybe it has something to do with CloudFlare CDN on that particular system)?
curl https://www.cloudflare.com/
works and outputs an html response it looks like
If I curl https://www.alliancechemical.com
I get curl: (6) Could not resolve host: wwww.alliancechemical.com
When I use openssl
client and connect to the CloudFlare IP without the hostname, I also get a TLS error:
openssl s_client -showcerts -connect 104.26.9.168:443
CONNECTED(00000005)
140358993184064:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Probably a typo (wwww
). DNS should work as dig
resolved to something.
This is what I get from curl --version
on an Trellis/Ubuntu web server (where curl
works with that URL):
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
Do you get the same?
Are there apt
updates for curl
/libcurl
or something curl
related available?
No, I have openSSL/1.1.1f
curl --version
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
Get a standalone curl
binary (from Release v7.87.0 ยท moparisthebest/static-curl ยท GitHub):
cd /tmp
wget https://github.com/moparisthebest/static-curl/releases/download/v7.87.0/curl-amd64
chmod +x ./curl-amd64
./curl-amd64 https://alliancechemical.com/satispress/packages.json
Ran apt-get update
and apt-get upgrade
on staging. Now when I ran curl https://www.alliancechemical.com
I got a response
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
But when running curl https://alliancechemical.com
Still getting curl: (35) error..
Run the standalone curl
binary (see above), also try wget
.
Downloaded curl binary as you described, gave it execute privileges and tried to curl the endpoint and got the same error!
Running wget https://alliancechemical.com/satispress/packages.json
--2023-01-25 17:47:54-- https://alliancechemical.com/satispress/packages.json
Resolving alliancechemical.com (alliancechemical.com)... 127.0.1.1
Connecting to alliancechemical.com (alliancechemical.com)|127.0.1.1|:443... connected.
OpenSSL: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name
Unable to establish SSL connection.