Gnutls_handshake() failed: The TLS connection was non-properly terminated


(Laurent Roger) #1

Hi !
After a docker update and reboot, my configuration is a total mess, I can access to each docker but they don’t communicate between each other, rejecting direct access with “GET / HTTP/2.0” 301 errors in caddy’s logs.
apt-get update fails with this errors

Err:9 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
404 Not Found [IP: 91.189.88.149 80]
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://archive.ubuntu.com/ubuntu xenial Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://archive.ubuntu.com/ubuntu xenial-updates Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/main/binary-amd64/Packages 404 Not Found [IP: 91.189.91.23 80]
E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/main/binary-amd64/Packages 404 Not Found [IP: 91.189.88.149 80]
E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/binary-amd64/Packages 404 Not Found [IP: 91.189.88.149 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.

simple curl command fails until I stop caddy docker image

curl -vIsSL https://agent.digitalocean.com/install.sh
*   Trying 151.101.0.233...
* Connected to agent.digitalocean.com (151.101.0.233) port 443 (#0)
* found 168 certificates in /etc/ssl/certs/ca-certificates.crt
* found 672 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* SSL: certificate subject name (api.fame.community) does not match target host name 'agent.digitalocean.com'
* Closing connection 0
curl: (51) SSL: certificate subject name (api.fame.community) does not match target host name 'agent.digitalocean.com'

Here is my Caddyfile

www.laurentroger.com {
  root /home/laurentroger.com
  tls laurent@laurentroger.com {
    max_certs 10 
  }
  log /var/log/caddy/www.laurentroger.com
}

boiteauxcourses.laurentroger.com {
  tls laurent@laurentroger.com {
    max_certs 10
  }
  log /var/log/caddy/boiteauxcourses.laurentroger.com
  proxy / {
    policy ip_hash
    websocket
    transparent
    upstream http://xx.xx.xx.xx:pppp
  }
}

backoffice.laurentroger.com {
  tls laurent@laurentroger.com
  log /var/log/caddy/backoffice.laurentroger.com
  proxy / {
    policy ip_hash
    websocket
    transparent
    upstream http://xx.xx.xx.xx:ppppp
  }
}

Any ideas what’s wrong and how to come back to a clean setup ?

I’ve setup a fresh new server, with just one caddy configuration, result is 502 (bad gateway)

x - - [29/Oct/2017:16:39:41 +0000] "GET /websocket HTTP/1.1" 502 16
x - - [29/Oct/2017:16:39:47 +0000] "GET / HTTP/2.0" 502 16
x - - [29/Oct/2017:16:40:01 +0000] "GET / HTTP/2.0" 502 16
x - - [29/Oct/2017:16:40:12 +0000] "GET /websocket HTTP/1.1" 502 16
x - - [29/Oct/2017:16:40:31 +0000] "GET /login/ HTTP/2.0" 502 16
x - - [29/Oct/2017:16:40:42 +0000] "GET /websocket HTTP/1.1" 502 16

Caddyfile is just

api.xxx.xxx {
  tls laurent@laurentroger.com
  log /var/log/caddy/api.xxx.xxx
  proxy / {
    policy ip_hash
    websocket
    transparent
    upstream http://x.x.x.x:pppp
  }
}
lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial

caddy from latest docker

docker run -d \
     -v $(pwd)/Caddyfile:/etc/Caddyfile \
     -v $(pwd)/logs:/var/log/caddy \
     -v $HOME/.caddy:/root/.caddy \
     -v /etc/ssl/certs:/etc/ssl/certs \
     -p 80:80 -p 443:443 \
     --name caddy \
     abiosoft/caddy

(Matthew Fay) #2

I didn’t realise proxy worked without an upstream in the opening line. The docs don’t say it’s optional, and I’ve never tested it.

Anyway, if your Docker networking is preventing Caddy from connecting to other containers, there’s not much that Caddy can do about that. You’ll need to fix your Docker configuration first. Once you can curl your upstream server from within the Caddy container, it should work just fine again.


(Laurent Roger) #3

Thank you Matthew to take a little time review my issue.
Let me clarify one point : it’s not only Docker that is impacted by caddy configuration, but also apt-get and even a simple curl (download of DO-agent install.sh for installation). When I stop caddy, apt-get and curl works fine again.
It’s looks like https and certificates is messed up by caddy as suspected by

curl: (51) SSL: certificate subject name (api.fame.community) does not match target host name 'agent.digitalocean.com'



(Laurent Roger) #4

Corrected as

api.xxx.xxx {
  tls laurent@laurentroger.com
  log /var/log/caddy/api.xxx.xxx
  proxy / localhost:pppp {
    policy ip_hash
    websocket
    transparent
  }
}

Not better, I’ve tryed also to add api.xxx.xxx in /etc/hosts, without better result : always 502 bad gateway


(Laurent Roger) #5

related to https://github.com/mholt/caddy/issues/1345 ?

Tryed --http2=false within docker’s caddy --> same behaviour :frowning:


(Matthew Fay) #6

Does it happen if you don’t bind mount /etc/ssl/certs?


(Laurent Roger) #7

@Whitestrake yes same behaviour without mounting /etc/ssl/certs :tired_face:

issue opened : https://github.com/mholt/caddy/issues/1944


(system) #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.