SSL error after deployment

[pieterhouwen]

When I deploy RedCloud on my local Ubuntu after the installation I'm getting an SSL_ERROR_INTERNAL_ERROR alert in my Firefox. The docker logs don't show anything interesting and peeking around in the traefik container also yields no fruit (I'm not familiar with traefik at all so there's a good chance that I'm missing something).

Even when I try my external IP with HTTPS it gives the same error

[pieterhouwen]

curl shows the following:

root@vpn-machine:/home/pieter# curl https://192.168.2.24/portainer curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

[Numichi]

Deploy local

$ curl -v https:///portainer

• Trying ...
• TCP_NODELAY set
• Connected to () port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS alert, Server hello (2):
• error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
• stopped the pause stream!
• Closing connection 0 curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

[zero77]

Same for me when using debian sid also, with a local install.

curl -v https://192.168.0.14/portainer

• Trying 192.168.0.14:443...
• TCP_NODELAY set
• connect to 192.168.0.14 port 443 failed: Connection refused
• Failed to connect to 192.168.0.14 port 443: Connection refused
• Closing connection 0 curl: (7) Failed to connect to 192.168.0.14 port 443: Connection refused

curl https://192.168.0.14/portainer curl: (7) Failed to connect to 192.168.0.14 port 443: Connection refused

[zero77]

@ khast3x Should we provide any other logs or info.

[khast3x]

Hello,
I have retested local and remote deploy on a Ubuntu and Kali, seems there are no issues on my side.
Debian is not officially supported, but the problem must lie with the local policy regarding unsigned https certificates.

Redcloud uses a unsigned https certificate in both deployments. If you cannot enforce local policy to accept unsigned https certificate, you can maybe edit traefik and docker configuration to listen to port 80 with no https instead.

I will leave this issue open in case a Debian user finds the adequate approach.

Cheers!

[zero77]

Do you know where this local policy is set in Debian.

[khast3x]

I am unfamiliar with Debian maintenance, but it might come from the default repo's Firefox version and policy, maybe something like this.

Apart from that no idea sorry, hence leaving this issue open for other Debian users to help out.

Cheers!

[pieterhouwen]

Hi khast3x, I just tried again with a clean install of Ubuntu 18.04.5 LTS where I deployed locally, but the issue still persists.

Can you try downloading a clean Ubuntu Server 18.04.5 LTS image, follow the how-to in the install instructions, deploy locally and get back to us?

[edit] This is an internal SSL error, and not an unsigned cert error

[khast3x]

Hello,

I have tested on a local Ubuntu (almost fresh) with no issues, and a fresh Ubuntu on a VPS. I am confused as to why this is not the case for you. Just in case, when deploying locally, be sure not that have a VPN running.

Instead of using the external IP displayed by Redcloud could you try with 127.0.0.1:

• In a browser: https://127.0.0.1/portainer
• CLI: curl -k -v https://127.0.0.1/portainer

Please note that Redcloud is mostly used on remote VPS for labs, so the local use cases have not been fully tested (which is also why Redcloud displays the external IP for a local deploy).

Cheers

[pieterhouwen]

Hello, I'm currently installing a GUI on my server so I'll report back when I have news.

Just out of curiosity: Which version of Ubuntu do you use for testing?

[pieterhouwen]

Deploying locally with GUI and browsing to either https://localhost/portainer or https://127.0.0.1/portainer now shows a self signed cert error, which is great news because now we've moved a step ahead :D

So I guess that something in either the web configuration or something in Virtualbox is causing this issue

However, when I ignore the warning and actually get to the page I get greeted by a 404 error message.

Personally I don't have a VPS hanging around which I don't use to test this on.

[edit] I just ran the local deployment on the same Ubuntu installed in VMware Workstation Player and it worked right away.

[pieterhouwen]

So protip: ditch your Virtualbox Ubuntu server and install it in VMware

[khast3x]

Thank for your feedback! :handshake:
Seems like some lower level dark network magic is causing the SSL mechanism to crash. I don't have the bandwidth to investigate further but I hope it helps others.
On my side tests were performed on Ubuntu 18.04.4 LTS.

Feel free to update this issue if you find additional information.

Cheers!

[pieterhouwen]

I think I can dig a little deeper if I can watch the traffic logs somehow. Do you know if Traefik allows this and how to do it?

[khast3x]

You can view the container logs using docker logs CONTAINER where CONTAINER is one of the containers described here. Both the Traefik and Portainer containers should have traffic logs.
You can also access the Traefik web interface by browsing to https://your-ip/api with the credentials admin:Redcloud (these can be changed with the .htaccess file.)

Hope this helps

[pieterhouwen]

I have tried the docker logs -f with both the portainer and traefik containers but neither were giving out logs. The problem with looking at the Traefik web interface is that you would need a working connection to see why the connection isn't working. Defaulting back to HTTP also won't solve it I think because then you also won't have SSL errors.

Bit of a chicken/egg situation :)

[khast3x]

The easiest way to access the logs in this case should be:
docker volume inspect redcloud_logs, and changing directory to the path indicated by the "Mountpoint" key, should be something like:

cd /var/lib/docker/volumes/redcloud_logs/_data. You'll have the saved logs access.log and traefik.log in this directory.

Cheers

[FrankensteinEvil0069]

I typed command python3 redcloud.py

then i get this error

2 [?] Target IP or hostname?

[?] Target username? (Default: root) root ssh: connect to host ------------- port 22: Connection refused [!] Something went wrong with running command Command '['ssh', 'root@-----------------', 'command', '-v', 'curl', '||', 'echo', '"error"']' returned non-zero exit status 255. Traceback (most recent call last): File "/root/redcloud/redcloud.py", line 418, in menu_deploy_target() File "/root/redcloud/redcloud.py", line 370, in menu_deploy_target deploy_remote_ssh() File "/root/redcloud/redcloud.py", line 215, in deploy_remote_ssh if output != "error" and len(output) != 0: TypeError: object of type 'NoneType' has no len()

ANY HELP ??

[pieterhouwen]

@FrankensteinEvil0069 Check if the machine is actually reachable from SSH, if it is open a seperate issue for this.

Closing this issue because I was unable to reproduce this behavior.