For example, a recently-launched proxy passed checkfallbacks, but connections fail with:
ERROR balancer: balancer.go:430 Unexpected error dialing via fp-mskr1c021hk-20210329-004-0 (20.194.37.25:443) to connect://update.getlantern.org:443: handshake failed: proxied handshake failed: x509: certificate is valid for *.hosting.reg.ru, hosting.reg.ru, not en.federalsp.ru on pass 1...continuing [beam=8 core_dial_time=[169.605314] dc=mskr1c021hk dial_type=connect error=%v dialing via %v to %s://%s: %v on pass %v%v error_location=github.com/getlantern/flashlight/balancer.(*balancedDial).onFailure (balancer.go:430) error_text=Unexpected error dialing via fp-mskr1c021hk-20210329-004-0 (20.194.37.25:443) to connect://update.getlantern.org:443: handshake failed: proxied handshake failed: x509: certificate is valid for *.hosting.reg.ru, hosting.reg.ru, not en.federalsp.ru on pass 1...continuing error_type=errors.Error force_proxied=true force_proxied_reason=routingrule local_proxy_type=http op=balancer_dial_details origin=update.getlantern.org:443 origin_host=update.getlantern.org origin_port=443 proxy_host=20.194.37.25 proxy_multiplexed=false proxy_name=fp-mskr1c021hk-20210329-004 proxy_network=tcp proxy_port=443 proxy_protocol=tlsmasq proxy_type=chained remotely_proxied=true root_op=proxy user_agent=Go-http-client/1.1]
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/balancer.(*balancedDial).onFailure (balancer.go:430)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/balancer.(*balancedDial).dialWithDialer (balancer.go:372)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/balancer.(*balancedDial).dial (balancer.go:327)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/balancer.(*Balancer).DialContext (balancer.go:277)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/client.(*Client).doDial.func2 (client.go:591)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/client.(*Client).doDial (client.go:620)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/client.(*Client).dial (client.go:562)
ERROR balancer: balancer.go:430 at github.com/getlantern/proxy.(*proxy).proceedWithConnect (proxy_connect.go:167)
ERROR balancer: balancer.go:430 at github.com/getlantern/proxy.(*proxy).processRequests (proxy_http.go:235)
ERROR balancer: balancer.go:430 at github.com/getlantern/proxy.(*proxy).handle (proxy_http.go:150)
ERROR balancer: balancer.go:430 at github.com/getlantern/proxy.(*proxy).Handle (proxy_http.go:40)
ERROR balancer: balancer.go:430 at github.com/getlantern/flashlight/client.(*Client).handle (handler.go:34)
ERROR balancer: balancer.go:430 at runtime.goexit (asm_amd64.s:1371)
ERROR balancer: balancer.go:430 Caused by: handshake failed: proxied handshake failed: x509: certificate is valid for *.hosting.reg.ru, hosting.reg.ru, not en.federalsp.ru
I think this usually comes down to non-determinism in how the origin site serves certificates (we see this occasionally). The configured SNI is based on cert A and when we run checkfallbacks, we get cert A and call it a successful launch. However, when clients connect, the origin site may serve cert B causing the connection to fail.
hwh33
commented
2 years ago
For example, a recently-launched proxy passed checkfallbacks, but connections fail with:
I think this usually comes down to non-determinism in how the origin site serves certificates (we see this occasionally). The configured SNI is based on cert A and when we run checkfallbacks, we get cert A and call it a successful launch. However, when clients connect, the origin site may serve cert B causing the connection to fail.