search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.19k stars 1.11k forks source link

cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received (Cloudflare) #20807

Open lushythedev opened 3 months ago

lushythedev commented 3 months ago

Explain what happens

  1. My Cloudflare SSL certificates are fine, but running openssl s_client -connect IP:9090 -servername www.website.com returns this: 
    CONNECTED(00000003)
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
---
Certificate chain
0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 27 15:01:00 2024 GMT; NotAfter: Jul 24 15:01:00 2039 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
snipped to make report shorter
-----END CERTIFICATE-----
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1746 bytes and written 397 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
  2. I'm using NGINX, my certificates are stored here /etc/ssl/cert.pem and /etc/ssl/key.pem

I tried Concatenate Certificates

cat /etc/ssl/cert.pem > /etc/cockpit/ws-certs.d/ssl.cert

Then, I ensured the key is properly set

cp /etc/ssl/key.pem /etc/cockpit/ws-certs.d/ssl.key

I verified file permissions:

sudo chmod 600 /etc/cockpit/ws-certs.d/ssl.key sudo chmod 644 /etc/cockpit/ws-certs.d/ssl.cert

Then restarted cockpit with sudo systemctl restart cockpit

I am then left with TLS error:

     Loaded: loaded (/lib/systemd/system/cockpit.service; static)
     Active: inactive (dead) since Sat 2024-07-27 18:45:26 UTC; 3min 10s ago
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
    Process: 1199 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
    Process: 1200 ExecStart=/usr/lib/cockpit/cockpit-tls (code=exited, status=0/SUCCESS)
   Main PID: 1200 (code=exited, status=0/SUCCESS)
        CPU: 205ms

Jul 27 18:41:36 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:41:36 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:41:36 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:42:41 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:42:41 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:42:41 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:42:41 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:42:41 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:42:41 userxjff cockpit-tls[1200]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.`

I have also tried changing Cloudflare settings from Strict to Full, which made no difference. Any help would be great. Thanks

Version of Cockpit

264-1ubuntu0.22.04.1

Where is the problem in Cockpit?

Unknown or not applicable

Server operating system

Ubuntu

Server operating system version

Ubuntu 22.04.4 LTS

What browsers are you using?

Chrome

System log

Jul 27 18:16:23 userxjff systemd[1]: Starting Cockpit Web Service...
Jul 27 18:16:23 userxjff cockpit-certificate-ensure[2387]: /usr/lib/cockpit/cockpit-certificate-helper: line 32: sscg: command not fo>
Jul 27 18:16:23 userxjff cockpit-certificate-ensure[2388]: ........+......+....+........+......+....+...+...+......+.....+....+.....+>
Jul 27 18:16:23 userxjff cockpit-certificate-ensure[2388]: ..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>
Jul 27 18:16:23 userxjff cockpit-certificate-ensure[2388]: -----
Jul 27 18:16:23 userxjff systemd[1]: Started Cockpit Web Service.
Jul 27 18:16:23 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:23 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:28 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:28 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:28 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:28 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:28 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:16:28 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:17:57 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:01 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:02 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:02 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:02 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:02 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:02 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:25 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:26 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:26 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:26 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:34 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:42 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:43 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:43 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:43 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:43 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:43 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jul 27 18:18:43 userxjff cockpit-tls[2395]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Dibyajyoti-08 commented 2 months ago

Hi lushythedev, The error you are facing can have two possible reason,

Missing Intermediate Certificate

Root certificate is not trusted

This error _gnutlshandshake failed: A TLS fatal alert has been received. i faced when i was setting up Jenkins in my local system through nginx.

Possible solution is to create a correct Full Certificate Chain. Consisting your certificate + intermediate certificate + root certificate

Try verifying your full chain with openssl $ openssl s_client -connect IP:9090 -servername www.website.com -CAfile /etc/ssl/fullchain.pem

Or i can show you how i setup in nginx, if possible please share your nginx configuration may be there we can find the solution.

Best Regards, DJ