TLS handshake error on aws

himat · April 3, 2020, 4:24am

I have caddy set up on an ec2 instance to proxy incoming https requests to a hasura graphql server I also have running on this same ec2 instance.
But for some reason, I am getting a TLS handshake error when trying to make POST requests to this server.

1. My Caddy version (`caddy version`):

abiosoft/caddy:latest docker image

2. How I run Caddy:

a. System environment:

OS: Ubuntu 18.04.3 LTS
Docker version 19.03.6, build 369ce74a3c

b. Command:

docker-compose -f docker-compose.yaml.combined up -d

c. Service/unit/compose file:

My dockerfile: docker-compose.yaml.combined

version: '2'
services:
  graphql-engine:
    image: hasura/graphql-engine:latest
    restart: always
    environment:
      HASURA_GRAPHQL_DATABASE_URL: postgres://postgres:postgres@name.number.us-west-1.rds.amazonaws.com:5432/
      HASURA_GRAPHQL_ACCESS_KEY: accesskey
    command:
      - graphql-engine
      - serve
      - --enable-console
  caddy:
      image: abiosoft/caddy:latest
      depends_on:
          - "graphql-engine"
      restart: always
      ports:
          - "80:80"
          - "443:443"
      volumes:
          - ./Caddyfile:/etc/Caddyfile
          - caddy_certs:/root/.caddy
volumes:
  caddy_certs:

d. My complete Caddyfile or JSON config:

https://api.destinyload.com {
    proxy / graphql-engine:8080 {
        websocket
    }
}

3. The problem I’m having:

When I make a graphql API call from my web frontend running at https://destinyload.com (this is running a render.com server, which is a server infrastructure service like heroku), the POST request fails with ERR_SSL_PROTOCOL_ERROR.

4. Error messages and/or full log output:

docker logs <caddy docker id>

Activating privacy features... 2020/04/03 03:45:11 [INFO][cache:0xc0000327d0] Started certificate maintenance routine
2020/04/03 03:45:12 [INFO][api.destinyload.com] Obtain certificate
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: Obtaining bundled SAN certificate
2020/04/03 03:45:12 [INFO] [api.destinyload.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3728777426
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: Could not find solver for: tls-alpn-01
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: use http-01 solver
2020/04/03 03:45:12 [INFO] [api.destinyload.com] acme: Trying to solve HTTP-01
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:12 [INFO] [api.destinyload.com] Served key authentication
2020/04/03 03:45:19 [INFO] [api.destinyload.com] The server validated our request
2020/04/03 03:45:19 [INFO] [api.destinyload.com] acme: Validations succeeded; requesting certificates
2020/04/03 03:45:19 [INFO] [api.destinyload.com] Server responded with a certificate.
done.

Serving HTTPS on port 443
https://api.destinyload.com

2020/04/03 03:45:20 [INFO] Serving https://api.destinyload.com

Serving HTTP on port 80
http://api.destinyload.com

2020/04/03 03:45:20 [INFO] Serving http://api.destinyload.com
2020/04/03 03:45:20 [WARNING] Sending telemetry (attempt 1): Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host - backing off and retrying
2020/04/03 03:45:28 [WARNING] Sending telemetry (attempt 2): Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host - backing off and retrying
2020/04/03 03:45:47 http: TLS handshake error from 47.18.104.197:63319: no certificate available for 'ec2-3-101-39-189.us-west-1.compute.amazonaws.com'
2020/04/03 03:45:55 [WARNING] Sending telemetry (attempt 3): Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host - backing off and retrying
2020/04/03 03:46:59 [ERROR] Sending telemetry: Post https://telemetry.caddyserver.com/v1/update/bf83e9bc-88b6-4d7f-9a99-ba28c007315a: dial tcp: lookup telemetry.caddyserver.com on 127.0.0.11:53: no such host

5. What I already tried:

I don’t understand why it errs about no certificate available for ‘ec2-3-101-39-189 .us-west-1.compute.amazonaws.com’. It should be looking for the cert from api.destinyload .com right? Why is it happening from amazonaws .com instead?
I already made sure that I set up the ANAME on my DNS to point api.destinyload. com to this EC2 instance’s ip.

himat · April 4, 2020, 7:20pm

I’ve been struggling with this for a few days, so would appreciate any help!

matt · April 4, 2020, 7:24pm

I’m not familiar with your setup, so not sure how helpful I can be.

But the errors mean that clients are making connections to your server using the server name ec2-3-101-39-189.us-west-1.compute.amazonaws.com instead of api.destinyload.com. If the client is something from your network, you’ll want to configure it to use your own domain name instead. If it’s out of your control, well, not much you can do.

himat · April 4, 2020, 8:21pm

You were right, and I just realized this at the same time. I hadn’t updated my code to use the new subdomain…

system · May 4, 2020, 8:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.