starred/acme-dns
1
0
Fork 0
mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00
Code Issues 178 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #156] ssl3_read_bytes:tlsv1 alert internal error #56

New issue
Closed
opened 2026-03-13 15:34:01 +03:00 by kerem · 20 comments
kerem commented 2026-03-13 15:34:01 +03:00
Owner
Copy link

Originally created by @BRTPOB on GitHub (Mar 3, 2019).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/156

I've been trying to get my instance of acme-dns up and running, and thus far I'm stuck at the part where I register the domain. When I run the command, I get the following:

offspring@Madame_Hydra:~$ curl -v -X POST https://eskimomafia.com:4330/register

  • Trying 109.255.235.241...
  • TCP_NODELAY set
  • Connected to eskimomafia.com (109.255.235.241) port 4330 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS alert, Server hello (2):
  • error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
  • stopped the pause stream!
  • Closing connection 0
    curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

I've removed everything but TLSv1.2 from my SSL options, yet it's still throwing this error. What am I doing wrong/what info would you like to see?

Thanks in advance for the help.

Originally created by @BRTPOB on GitHub (Mar 3, 2019). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/156 I've been trying to get my instance of acme-dns up and running, and thus far I'm stuck at the part where I register the domain. When I run the command, I get the following: offspring@Madame_Hydra:~$ curl -v -X POST https://eskimomafia.com:4330/register * Trying 109.255.235.241... * TCP_NODELAY set * Connected to eskimomafia.com (109.255.235.241) port 4330 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error * stopped the pause stream! * Closing connection 0 curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error I've removed everything but TLSv1.2 from my SSL options, yet it's still throwing this error. What am I doing wrong/what info would you like to see? Thanks in advance for the help.
kerem closed this issue 2026-03-13 15:34:06 +03:00
kerem commented 2026-03-13 15:34:12 +03:00
Author
Owner
Copy link

@Ajedi32 commented on GitHub (Mar 4, 2019):

Judging by the error message it seems like the TLS handshake to the API server is failing. Can you connect from a different client, like a web browser or an instance of curl on a different machine?

<!-- gh-comment-id:469323129 --> @Ajedi32 commented on GitHub (Mar 4, 2019): Judging by the error message it seems like the TLS handshake to the API server is failing. Can you connect from a different client, like a web browser or an instance of curl on a different machine?
kerem commented 2026-03-13 15:34:17 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 4, 2019):

This error message seems like something that is often happening if you are using tls = "letsencrypt" and the autocert LE validation either fails, or you are trying to connect to the server using a name that's not listed in api_domain configuration variable.

Reading your post, it looks like you should have:
api_domain = "eskimomafia.com"

and if you are not doing any reverse proxying / firewall redirections:
autocert_port = "80"

The autocert_port variable is used to tell acme-dns which port receives connections that are coming in from public internet to your api_domain IP address. This is required for the automated Let's Encrypt certificates (for acme-dns instance only).

<!-- gh-comment-id:469325707 --> @joohoi commented on GitHub (Mar 4, 2019): This error message seems like something that is often happening if you are using `tls = "letsencrypt"` and the `autocert` LE validation either fails, or you are trying to connect to the server using a name that's not listed in `api_domain` configuration variable. Reading your post, it looks like you should have: `api_domain = "eskimomafia.com"` and if you are not doing any reverse proxying / firewall redirections: `autocert_port = "80"` The `autocert_port` variable is used to tell acme-dns which port receives connections that are coming in from public internet to your `api_domain` IP address. This is required for the automated Let's Encrypt certificates (for acme-dns instance only).
kerem commented 2026-03-13 15:34:22 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 4, 2019):

Hrm, ok. I can take a look at my config later tonight when I get home.
Thanks for the quick reply.

On Mon, Mar 4, 2019, 16:48 Joona Hoikkala notifications@github.com wrote:

This error message seems like something that is often happening if you are
using tls = "letsencrypt" and the autocert LE validation either fails, or
you are trying to connect to the server using a name that's not listed in
api_domain configuration variable.

Reading your post, it looks like you should have:
api_domain = "eskimomafia.com

and if you are not doing any reverse proxying / firewall redirections:
autocert_port = "80"

The autocert_port variable is used to tell acme-dns which port receives
connections that are coming in from public internet to your api_domain IP
address. This is required for the automated Let's Encrypt certificates (for
acme-dns instance only).


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/joohoi/acme-dns/issues/156#issuecomment-469325707,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AG3hBIASYR3B9BMUXSQnXGEjfWBZPksgks5vTU5ZgaJpZM4bbMZI
.

<!-- gh-comment-id:469329220 --> @BRTPOB commented on GitHub (Mar 4, 2019): Hrm, ok. I can take a look at my config later tonight when I get home. Thanks for the quick reply. On Mon, Mar 4, 2019, 16:48 Joona Hoikkala <notifications@github.com> wrote: > This error message seems like something that is often happening if you are > using tls = "letsencrypt" and the autocert LE validation either fails, or > you are trying to connect to the server using a name that's not listed in > api_domain configuration variable. > > Reading your post, it looks like you should have: > api_domain = "eskimomafia.com > > and if you are not doing any reverse proxying / firewall redirections: > autocert_port = "80" > > The autocert_port variable is used to tell acme-dns which port receives > connections that are coming in from public internet to your api_domain IP > address. This is required for the automated Let's Encrypt certificates (for > acme-dns instance only). > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/joohoi/acme-dns/issues/156#issuecomment-469325707>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AG3hBIASYR3B9BMUXSQnXGEjfWBZPksgks5vTU5ZgaJpZM4bbMZI> > . >
kerem commented 2026-03-13 15:34:27 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 4, 2019):

This is my config, https://pastebin.com/SYVpxZgR. I'm running nginx with reverse proxies, but I don't have anything specifically for ACME-DNS, because I didn't think there needed to be any sort of redirection or anything, plus I wasn't sure how to set that up.

<!-- gh-comment-id:469420210 --> @BRTPOB commented on GitHub (Mar 4, 2019): This is my config, https://pastebin.com/SYVpxZgR. I'm running nginx with reverse proxies, but I don't have anything specifically for ACME-DNS, because I didn't think there needed to be any sort of redirection or anything, plus I wasn't sure how to set that up.
kerem commented 2026-03-13 15:34:32 +03:00
Author
Owner
Copy link

@schue30 commented on GitHub (Mar 4, 2019):

@BRTPOB If you use nginx as a reverse-proxy in front of acme-dns can you please share your nginx config?

<!-- gh-comment-id:469427867 --> @schue30 commented on GitHub (Mar 4, 2019): @BRTPOB If you use nginx as a reverse-proxy in front of acme-dns can you please share your nginx config?
kerem commented 2026-03-13 15:34:37 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

Ok, there's a few things going on in here. As your configuration seems to have tls = "letsencrypt", acme-dns needs to be able to bind the autocert Let's Encrypt validation to port 80 (or get the connections to port 80 proxied to it to another port configured in autocert_port configuration variable).

Another thing I spotted, is that the DNS part of acme-dns seems to be configured to listen to interface 127.0.0.1. To make acme-dns work correctly, the DNS part should be accessible over public internet on port 53 as well.

<!-- gh-comment-id:469553432 --> @joohoi commented on GitHub (Mar 5, 2019): Ok, there's a few things going on in here. As your configuration seems to have `tls = "letsencrypt"`, acme-dns needs to be able to bind the autocert Let's Encrypt validation to port `80` (or get the connections to port 80 proxied to it to another port configured in `autocert_port` configuration variable). Another thing I spotted, is that the DNS part of acme-dns seems to be configured to listen to interface 127.0.0.1. To make acme-dns work correctly, the DNS part should be accessible over public internet on port 53 as well.
kerem commented 2026-03-13 15:34:42 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

@schue30 right now I just have nginx running, with no redirects to acme-dns. If I need to set that up, I"ll share it.

@joohoi I have 53 forwarded to the machine running acme-dns. The acme-dns server is running on the same machine as the nginx system.

<!-- gh-comment-id:469620752 --> @BRTPOB commented on GitHub (Mar 5, 2019): @schue30 right now I just have nginx running, with no redirects to acme-dns. If I need to set that up, I"ll share it. @joohoi I have 53 forwarded to the machine running acme-dns. The acme-dns server is running on the same machine as the nginx system.
kerem commented 2026-03-13 15:34:47 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

Ok, so the TLS issue stems from the fact that you do not allow traffic from public internet to the domain configured in:
api_domain = "eskimomafia.com" port 80 to reach acme-dns currently. Your alternatives are either to allow this traffic, use self signed (and created) certificates, or to turn off TLS for acme-dns.

<!-- gh-comment-id:469642527 --> @joohoi commented on GitHub (Mar 5, 2019): Ok, so the TLS issue stems from the fact that you do not allow traffic from public internet to the domain configured in: `api_domain = "eskimomafia.com"` port 80 to reach acme-dns currently. Your alternatives are either to allow this traffic, use self signed (and created) certificates, or to turn off TLS for acme-dns.
kerem commented 2026-03-13 15:34:52 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

@joohoi I don't understand, I'm allowing port 80 traffic to the domain. I have ports 53, 80, 443 and all opened and pointing to the same server.

<!-- gh-comment-id:469712017 --> @BRTPOB commented on GitHub (Mar 5, 2019): @joohoi I don't understand, I'm allowing port 80 traffic to the domain. I have ports 53, 80, 443 and all opened and pointing to the same server.
kerem commented 2026-03-13 15:34:57 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

I don't seem to be able to connect to port 80 on eskimomafia.com from public internet.

<!-- gh-comment-id:469714214 --> @joohoi commented on GitHub (Mar 5, 2019): I don't seem to be able to connect to port 80 on `eskimomafia.com` from public internet.
kerem commented 2026-03-13 15:35:03 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

Try now, sorry about that.

<!-- gh-comment-id:469714651 --> @BRTPOB commented on GitHub (Mar 5, 2019): Try now, sorry about that.
kerem commented 2026-03-13 15:35:08 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

It seems like the connections to port 80 on eskimomafia.com are not reaching the acme-dns server, but are redirected by Nginx.

▶ curl -v http://eskimomafia.com
* Rebuilt URL to: http://eskimomafia.com/
*   Trying 109.255.235.241...
* TCP_NODELAY set
* Connected to eskimomafia.com (109.255.235.241) port 80 (#0)
> GET / HTTP/1.1
> Host: eskimomafia.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 05 Mar 2019 15:33:32 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< Location: https://www.eskimomafia.com/
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host eskimomafia.com left intact
<!-- gh-comment-id:469726082 --> @joohoi commented on GitHub (Mar 5, 2019): It seems like the connections to port 80 on `eskimomafia.com` are not reaching the acme-dns server, but are redirected by Nginx. ``` ▶ curl -v http://eskimomafia.com * Rebuilt URL to: http://eskimomafia.com/ * Trying 109.255.235.241... * TCP_NODELAY set * Connected to eskimomafia.com (109.255.235.241) port 80 (#0) > GET / HTTP/1.1 > Host: eskimomafia.com > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx/1.14.0 (Ubuntu) < Date: Tue, 05 Mar 2019 15:33:32 GMT < Content-Type: text/html < Content-Length: 194 < Connection: keep-alive < Location: https://www.eskimomafia.com/ < <html> <head><title>301 Moved Permanently</title></head> <body bgcolor="white"> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx/1.14.0 (Ubuntu)</center> </body> </html> * Connection #0 to host eskimomafia.com left intact ```
kerem commented 2026-03-13 15:35:13 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

So how should I go about doing this? Is there some sort of nginx redirect I should be setting up to run the acme-dns server?

<!-- gh-comment-id:469726561 --> @BRTPOB commented on GitHub (Mar 5, 2019): So how should I go about doing this? Is there some sort of nginx redirect I should be setting up to run the acme-dns server?
kerem commented 2026-03-13 15:35:18 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

Not necessarily, as I pointed out previously, this is only required if you are running tls = "letsencrypt". You already seem to have a valid certificate for the domain, so I'd suggest you to change your configuration to following:

tls = "cert"
# only used if tls = "cert"
tls_cert_privkey = "/etc/letsencrypt/live/eskimomafia.com/privkey.pem"
tls_cert_fullchain = "/etc/letsencrypt/live/eskimomafia.com/fullchain.pem"

The example configuration above expects default certificate paths configured by Certbot.

<!-- gh-comment-id:469729842 --> @joohoi commented on GitHub (Mar 5, 2019): Not necessarily, as I pointed out previously, this is only required if you are running `tls = "letsencrypt"`. You already seem to have a valid certificate for the domain, so I'd suggest you to change your configuration to following: ``` tls = "cert" # only used if tls = "cert" tls_cert_privkey = "/etc/letsencrypt/live/eskimomafia.com/privkey.pem" tls_cert_fullchain = "/etc/letsencrypt/live/eskimomafia.com/fullchain.pem" ``` The example configuration above expects default certificate paths configured by Certbot.
kerem commented 2026-03-13 15:35:23 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

OK, so I made those updates but I'm getting a 404 instead whenever I try to do the /register command.

<!-- gh-comment-id:469733739 --> @BRTPOB commented on GitHub (Mar 5, 2019): OK, so I made those updates but I'm getting a 404 instead whenever I try to do the /register command.
kerem commented 2026-03-13 15:35:28 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

Are you trying to connect https://eskimomafia.com:4430/register as you seem to be using a non-standard port in your configuration?

<!-- gh-comment-id:469734340 --> @joohoi commented on GitHub (Mar 5, 2019): Are you trying to connect `https://eskimomafia.com:4430/register` as you seem to be using a non-standard port in your configuration?
kerem commented 2026-03-13 15:35:33 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

that throws an error, if I try 443 or 80 it throws the 404. The 4330 says connection refused, which is currently forwarded to the server with acme-dns running. If I switch to the default port of 443, that throws the 404 not found.

<!-- gh-comment-id:469740047 --> @BRTPOB commented on GitHub (Mar 5, 2019): that throws an error, if I try 443 or 80 it throws the 404. The 4330 says connection refused, which is currently forwarded to the server with acme-dns running. If I switch to the default port of 443, that throws the 404 not found.
kerem commented 2026-03-13 15:35:38 +03:00
Author
Owner
Copy link

@joohoi commented on GitHub (Mar 5, 2019):

This depends on your setup. There's something (most likely Nginx and/or firewall) interfering with your acme-dns setup that I can't unfortunately help you with.

<!-- gh-comment-id:469742768 --> @joohoi commented on GitHub (Mar 5, 2019): This depends on your setup. There's something (most likely Nginx and/or firewall) interfering with your acme-dns setup that I can't unfortunately help you with.
kerem commented 2026-03-13 15:35:43 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

OK, thanks, I was afraid of that.

<!-- gh-comment-id:469743082 --> @BRTPOB commented on GitHub (Mar 5, 2019): OK, thanks, I was afraid of that.
kerem commented 2026-03-13 15:35:48 +03:00
Author
Owner
Copy link

@BRTPOB commented on GitHub (Mar 5, 2019):

OK, so I found an nginx config that you had commented on previously that talked about how to redirect the /register and /update URLs to the proper server. By changing the port to 4330, I was able to get it to register properly. Thanks for all the help, as it looks like I'm 99% of the way to where I wanted to get, and the last part should be simple enough to complete.

@schue30 this is what I changed my nginx config (split out into acme-dns.conf for clarity/cleanliness) looks like: https://pastebin.com/813xFQ7T

EDIT: I was able to get the redirects working and everything like I had originally wanted. The /register command now works as expected, and I'm about to try and setup the automated updating of the certs. Thanks again for all the help, @joohoi.

<!-- gh-comment-id:469753206 --> @BRTPOB commented on GitHub (Mar 5, 2019): OK, so I found an nginx config that you had commented on previously that talked about how to redirect the /register and /update URLs to the proper server. By changing the port to 4330, I was able to get it to register properly. Thanks for all the help, as it looks like I'm 99% of the way to where I wanted to get, and the last part should be simple enough to complete. @schue30 this is what I changed my nginx config (split out into acme-dns.conf for clarity/cleanliness) looks like: https://pastebin.com/813xFQ7T EDIT: I was able to get the redirects working and everything like I had originally wanted. The /register command now works as expected, and I'm about to try and setup the automated updating of the certs. Thanks again for all the help, @joohoi.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix_dockerhub
dockerhub
readme2.0
goreleaser_action
refactoring
linter_update_config
update_deps_122
dependabot/go_modules/github.com/valyala/fasthttp-1.34.0
deps_bump
update_goreleaser
update_golint
deps_update
update_dockerfile
v2.0.2
v2.0.1
v2.0
v1.1
v1.0
v0.8
v0.7.2
v0.7.1
v0.7
v0.6
v0.5
v0.4
v0.3.2
v0.3.1
v0.3
v0.2
v0.1
Labels
Clear labels   
Documentation

   
Documentation

   
bug

   
enhancement

   
feature request

   
feature request

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
security

   
security

   
testing
No labels
Documentation
Documentation
bug
enhancement
feature request
feature request
help wanted
pull-request
question
security
security
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/acme-dns#56
No description provided.