opm.openresty.org ssl error occurring
Closed this issue · 6 comments
Hello openresty team,
it seems https://opm.openresty.org is failing to complete the ssl handshake, yielding a tls alert during the server hello phase
With opm:
# opm get jkeys089/lua-resty-hmac
* Fetching jkeys089/lua-resty-hmac
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
ERROR: failed to run command "curl -sS -i -A 'opm 0.0.5 (x86_64-linux-thread-multi, perl v5.26.2)' 'https://opm.openresty.org/api/pkg/fetch?account=jkeys089&name=lua-resty-hmac&op=&version='"
With a plain curl:
$ curl -v https://opm.openresty.org
* Rebuilt URL to: https://opm.openresty.org/
* Trying 188.166.239.230...
* TCP_NODELAY set
* Connected to opm.openresty.org (188.166.239.230) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
With openssl s_client:
$ openssl s_client -connect opm.openresty.org:443
CONNECTED(00000003)
139796474515008:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802:
---
The situation seems to have just now resolved itself, closing ticket!
This is a recurring issue for me...
[09:58:19] ERROR: failed to run command "curl -sS -i -A 'opm 0.0.5 (x86_64-linux-thread-multi, perl v5.26.2)' 'https://opm.openresty.org/api/pkg/fetch?account=knyar&;name=nginx-lua-prometheus&op=&version='"
@danihodovic Are you still having problems? Sorry for the late reply.
Hello all,
it seems the certificate issue has appeared again.
- Fetching leafo/pgmoon
--
166 | curl: (60) SSL certificate problem: certificate has expired
167 | More details here: https://curl.haxx.se/docs/sslcerts.html
168 |
169 | curl performs SSL certificate verification by default, using a "bundle"
170 | of Certificate Authority (CA) public keys (CA certs). If the default
171 | bundle file isn't adequate, you can specify an alternate file
172 | using the --cacert option.
173 | If this HTTPS server uses a certificate signed by a CA represented in
174 | the bundle, the certificate verification probably failed due to a
175 | problem with the certificate (it might be expired, or the name might
176 | not match the domain name in the URL).
177 | If you'd like to turn off curl's verification of the certificate, use
178 | the -k (or --insecure) option.
179 | ERROR: failed to run command "curl -sS -i -A 'opm 0.0.6 (x86_64-linux-gnu-thread-multi, perl v5.24.1)' 'https://opm.openresty.org/api/pkg/fetch?account=leafo&name=pgmoon&op=&version='"
I am trying to build new Docker image on the basis the image I used successfully before:
Hi, @biletnikov, because opm.openresty.org uses the certificate issued by Let's encrypt, and the root certificate of Let's encrypt expired on September 30, see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/, please renew ca-certificates on your system or update the base docker image then try again.
Thanks.
But I had found a solution by migrating from stretch to buster Docker image.