search

openresty / opm

OpenResty Package Manager
https://opm.openresty.org/
462 stars 75 forks source link

opm.openresty.org ssl error occurring #68

Closed stamf closed 5 years ago

stamf commented 5 years ago

Hello openresty team,

it seems https://opm.openresty.org is failing to complete the ssl handshake, yielding a tls alert during the server hello phase

With opm:

# opm get jkeys089/lua-resty-hmac
* Fetching jkeys089/lua-resty-hmac  
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
ERROR: failed to run command "curl -sS -i -A 'opm 0.0.5 (x86_64-linux-thread-multi, perl v5.26.2)' 'https://opm.openresty.org/api/pkg/fetch?account=jkeys089&name=lua-resty-hmac&op=&version='"

With a plain curl:

$ curl -v https://opm.openresty.org
* Rebuilt URL to: https://opm.openresty.org/
*   Trying 188.166.239.230...
* TCP_NODELAY set
* Connected to opm.openresty.org (188.166.239.230) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

With openssl s_client:

$ openssl s_client -connect opm.openresty.org:443
CONNECTED(00000003)
139796474515008:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802:
---
stamf commented 5 years ago

The situation seems to have just now resolved itself, closing ticket!

danihodovic commented 5 years ago

This is a recurring issue for me...

[09:58:19]     ERROR: failed to run command "curl -sS -i -A 'opm 0.0.5 (x86_64-linux-thread-multi, perl v5.26.2)' 'https://opm.openresty.org/api/pkg/fetch?account=knyar&;name=nginx-lua-prometheus&op=&version='"
agentzh commented 5 years ago

@danihodovic Are you still having problems? Sorry for the late reply.

biletnikov commented 3 years ago

Hello all, it seems the certificate issue has appeared again.

* Fetching leafo/pgmoon -- 166 | curl: (60) SSL certificate problem: certificate has expired 167 | More details here: https://curl.haxx.se/docs/sslcerts.html 168 |   169 | curl performs SSL certificate verification by default, using a "bundle" 170 | of Certificate Authority (CA) public keys (CA certs). If the default 171 | bundle file isn't adequate, you can specify an alternate file 172 | using the --cacert option. 173 | If this HTTPS server uses a certificate signed by a CA represented in 174 | the bundle, the certificate verification probably failed due to a 175 | problem with the certificate (it might be expired, or the name might 176 | not match the domain name in the URL). 177 | If you'd like to turn off curl's verification of the certificate, use 178 | the -k (or --insecure) option. 179 | ERROR: failed to run command "curl -sS -i -A 'opm 0.0.6 (x86_64-linux-gnu-thread-multi, perl v5.24.1)' 'https://opm.openresty.org/api/pkg/fetch?account=leafo&name=pgmoon&op=&version='"

I am trying to build new Docker image on the basis the image I used successfully before:

xiaocang commented 3 years ago

Hi, @biletnikov, because opm.openresty.org uses the certificate issued by Let's encrypt, and the root certificate of Let's encrypt expired on September 30, see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/, please renew ca-certificates on your system or update the base docker image then try again.

biletnikov commented 3 years ago

Thanks. But I had found a solution by migrating from stretch to buster Docker image.