How to silence TLS handshake errors?

Help
1

1. My Caddy version (caddy version):

~ # ./caddy version 
v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

3. The problem I’m having:

I am getting a lot of http: TLS handshake errors. Some of them are understandable, some less, some others will get fixed when I transition to the final configuration (replacing Traefik):

2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39426: local error: tls: bad record MAC
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39430: local error: tls: bad record MAC
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39436: local error: tls: bad record MAC
2020/04/26 17:45:07 http: TLS handshake error from 192.168.10.72:52126: remote error: tls: unknown certificate
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39440: local error: tls: bad record MAC
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.27:58626: no certificate available for 'elasticsearch.XXX.info'
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39448: local error: tls: bad record MAC
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39452: local error: tls: bad record MAC
2020/04/26 17:45:07 http: TLS handshake error from 172.18.0.18:39454: local error: tls: bad record MAC
2020/04/26 17:45:08 http: TLS handshake error from 192.168.10.72:52127: remote error: tls: unknown certificate
2020/04/26 17:45:09 http: TLS handshake error from 172.18.0.17:51918: local error: tls: bad record MAC
2020/04/26 17:45:12 http: TLS handshake error from 192.168.10.72:52128: EOF

While I am debugging, is there a way to silence these errors?

2

These are emitted from the Go standard library and we have no control over them, except to discard all std lib logs (you can do this with Caddy, but I strongly advise against it).

Can’t you just ignore logs you’re not interested in?

3

Well in that case I will have to :slight_smile:

The problem down the road is that I will get plenty of such errors because anything.my.domain will get redirected to caddy , including all the chatter from Google Chrome (which uses random names to check the network):

2020/04/26 17:54:41 http: TLS handshake error from 192.168.10.143:61727: no certificate available for 'wwbbzlqlyhh'

Anyway, if there is nothing to do I will ignore them. Thanks a lot for the help!

4

The answer is probably that you can’t but it would be nice if all the messages were json rather than some json and some text. When I run the logs through json tools like jq it fails so I need to grep them out beforehand.

1 Like
5

That seems like an oversight on jq’s part: How to skip non-json lines? · Issue #884 · stedolan/jq · GitHub

If someone figures out how to coerce all logs that we don’t control to be emitted as JSON (without high costs), I would be happy to see it.

1 Like
6

Maybe use grep before piping to jq to skip lines that don’t start with {

tail -f logs | grep '^{' | jq '.'

That command is incomplete but you get the idea

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.