Last active
September 27, 2022 19:02
-
-
Save dentarg/4ec9f98565f0f5287ff4bcad92f1c886 to your computer and use it in GitHub Desktop.
TLS fail with Fly.io, why?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ host debug.fly.dev | |
| debug.fly.dev has address 188.93.151.254 | |
| debug.fly.dev has IPv6 address 2a09:8280:1:763f:8bdd:34d1:c624:78cd | |
| $ curl -o /dev/null -s -v --http1.1 --header 'Host: debug.fly.dev' https://188.93.151.254 | |
| * Trying 188.93.151.254:443... | |
| * Connected to 188.93.151.254 (188.93.151.254) port 443 (#0) | |
| * ALPN: offers http/1.1 | |
| } [5 bytes data] | |
| * TLSv1.3 (OUT), TLS handshake, Client hello (1): | |
| } [512 bytes data] | |
| * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 188.93.151.254:443 | |
| * Closing connection 0 | |
| $ curl -o /dev/null -s -v --http1.1 https://debug.fly.dev | |
| * Trying 188.93.151.254:443... | |
| * Connected to debug.fly.dev (188.93.151.254) port 443 (#0) | |
| * ALPN: offers http/1.1 | |
| } [5 bytes data] | |
| * TLSv1.3 (OUT), TLS handshake, Client hello (1): | |
| } [512 bytes data] | |
| * TLSv1.3 (IN), TLS handshake, Server hello (2): | |
| { [122 bytes data] | |
| * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): | |
| { [25 bytes data] | |
| * TLSv1.3 (IN), TLS handshake, Certificate (11): | |
| { [3815 bytes data] | |
| * TLSv1.3 (IN), TLS handshake, CERT verify (15): | |
| { [79 bytes data] | |
| * TLSv1.3 (IN), TLS handshake, Finished (20): | |
| { [52 bytes data] | |
| * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): | |
| } [1 bytes data] | |
| * TLSv1.3 (OUT), TLS handshake, Finished (20): | |
| } [52 bytes data] | |
| * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 | |
| * ALPN: server accepted http/1.1 | |
| * Server certificate: | |
| * subject: CN=*.fly.dev | |
| * start date: Sep 24 23:24:04 2022 GMT | |
| * expire date: Dec 23 23:24:03 2022 GMT | |
| * subjectAltName: host "debug.fly.dev" matched cert's "*.fly.dev" | |
| * issuer: C=US; O=Let's Encrypt; CN=R3 | |
| * SSL certificate verify ok. | |
| } [5 bytes data] | |
| > GET / HTTP/1.1 | |
| > Host: debug.fly.dev | |
| > User-Agent: curl/7.84.0 | |
| > Accept: */* | |
| > | |
| { [5 bytes data] | |
| * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): | |
| { [81 bytes data] | |
| * Mark bundle as not supporting multiuse | |
| < HTTP/1.1 200 OK | |
| < fly-region: fra | |
| < remote-addr: 172.19.0.209:62720 | |
| < date: Tue, 27 Sep 2022 18:52:44 GMT | |
| < content-length: 1203 | |
| < content-type: text/plain; charset=utf-8 | |
| < server: Fly/dcd9677e (2022-09-22) | |
| < via: 1.1 fly.io | |
| < fly-request-id: 01GE04PN9HQHJXNXCRQ9JVD10B-fra | |
| < | |
| { [1203 bytes data] | |
| * Connection #0 to host debug.fly.dev left intact |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ showcerts debug.fly.dev 443 | |
| CONNECTED(00000005) | |
| depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 | |
| verify return:1 | |
| depth=1 C = US, O = Let's Encrypt, CN = R3 | |
| verify return:1 | |
| depth=0 CN = *.fly.dev | |
| verify return:1 | |
| --- | |
| Certificate chain | |
| 0 s:/CN=*.fly.dev | |
| i:/C=US/O=Let's Encrypt/CN=R3 | |
| -----BEGIN CERTIFICATE----- | |
| MIIETjCCAzagAwIBAgISA9otMSuMr7adH8i5RZ50JyWdMA0GCSqGSIb3DQEBCwUA | |
| MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD | |
| EwJSMzAeFw0yMjA5MjQyMzI0MDRaFw0yMjEyMjMyMzI0MDNaMBQxEjAQBgNVBAMM | |
| CSouZmx5LmRldjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEUhlkSYvdPtnf1J | |
| w9WVCJ074p6S4LV4w6fcOHKeaUh0/y0zo2SAU3lXBxt988bEd/51bv6GIss2MNJI | |
| rTTAsHmjggJFMIICQTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH | |
| AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMt9kWuycE2DOhv2 | |
| JqWX5AvKHNOwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsG | |
| AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIG | |
| CCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBQGA1UdEQQNMAuCCSou | |
| Zmx5LmRldjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYG | |
| CCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB | |
| 1nkCBAIEgfYEgfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceE | |
| AAABg3IHmrEAAAQDAEcwRQIgRkZwKGLgAp/8z/F/o3WvT1AQzgwKG5CkkcCpbpi7 | |
| C6cCIQCkUDA8bqzTkyLEiXyaQjLkhpwVsFHk/RtuqV+/RDt18AB3AG9Tdqwx8DEZ | |
| 2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABg3IHnAwAAAQDAEgwRgIhALZECaLj | |
| tKpW13i1APgtlbYY6i2DdG5ZCpzIpDywptcFAiEAzOk8xeZeXk9bOmMgyQDjehg8 | |
| 0wDCxh6wIlNoIaLwDW8wDQYJKoZIhvcNAQELBQADggEBAEdmPvIgbkMGv+gEDMQ6 | |
| X5MFdrSKcWp/o+1Xhx1AThhiyZbq908OesJCP8Re49X9QvnJ9s3ArqUqSQBwWxw0 | |
| +LQAMjhUUUd2eNAk+5wZHVIklJtFeiOxQnNv4UAg/mV9ep1J20W68RgwnwSoOcP5 | |
| whwShAEKmx9tptYqDLdGZ1J49vYhoeY6Rh5q6TDShz4WBo+syplo/UMijdNMmZDX | |
| rB1NbXALs1ic0JcA3cjiL7lETaVhYB//TY4FP5HTuMfCfRWzNSOTZMTdQCsRe66W | |
| RCA5VlhCSUywM4HdNQo3ili2w5uNUyPIlH4AEa8xMVxwT+kpXA2nhGWroQcSEYmN | |
| cfg= | |
| -----END CERTIFICATE----- | |
| 1 s:/C=US/O=Let's Encrypt/CN=R3 | |
| i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 | |
| -----BEGIN CERTIFICATE----- | |
| MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw | |
| TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh | |
| cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw | |
| WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg | |
| RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK | |
| AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP | |
| R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx | |
| sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm | |
| NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg | |
| Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG | |
| /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC | |
| AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB | |
| Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA | |
| FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw | |
| AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw | |
| Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB | |
| gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W | |
| PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl | |
| ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz | |
| CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm | |
| lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 | |
| avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 | |
| yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O | |
| yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids | |
| hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ | |
| HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv | |
| MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX | |
| nLRbwHOoq7hHwg== | |
| -----END CERTIFICATE----- | |
| 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 | |
| i:/O=Digital Signature Trust Co./CN=DST Root CA X3 | |
| -----BEGIN CERTIFICATE----- | |
| MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ | |
| MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT | |
| DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow | |
| TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh | |
| cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB | |
| AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC | |
| ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL | |
| wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D | |
| LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK | |
| 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 | |
| bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y | |
| sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ | |
| Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 | |
| FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc | |
| SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql | |
| PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND | |
| TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw | |
| SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 | |
| c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx | |
| +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB | |
| ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu | |
| b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E | |
| U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu | |
| MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC | |
| 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW | |
| 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG | |
| WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O | |
| he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC | |
| Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 | |
| -----END CERTIFICATE----- | |
| --- | |
| Server certificate | |
| subject=/CN=*.fly.dev | |
| issuer=/C=US/O=Let's Encrypt/CN=R3 | |
| --- | |
| No client certificate CA names sent | |
| Server Temp Key: ECDH, X25519, 253 bits | |
| --- | |
| SSL handshake has read 4076 bytes and written 303 bytes | |
| --- | |
| New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305 | |
| Server public key is 256 bit | |
| Secure Renegotiation IS supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| SSL-Session: | |
| Protocol : TLSv1.2 | |
| Cipher : ECDHE-ECDSA-CHACHA20-POLY1305 | |
| Session-ID: C06CED1DC30263505F8E2056D354F5600F3183FAC8F9FFEBA76B9CEFACB98D6D | |
| Session-ID-ctx: | |
| Master-Key: 889105A5C755565AD6FFA1744A61D413ACBC8A851CFEE456D6C22805A10481610FEC4EAF68835B1E454CF848CEF8CD8A | |
| Start Time: 1664305009 | |
| Timeout : 7200 (sec) | |
| Verify return code: 0 (ok) | |
| --- | |
| poll error | |
| $ showcerts 188.93.151.254 443 | |
| CONNECTED(00000003) | |
| 4308502060:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/Library/BuildRoots/20d6c351-ee94-11ec-bcaf-7247572f23b4/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/ssl/ssl_pkt.c:585: | |
| --- | |
| no peer certificate available | |
| --- | |
| No client certificate CA names sent | |
| --- | |
| SSL handshake has read 0 bytes and written 0 bytes | |
| --- | |
| New, (NONE), Cipher is (NONE) | |
| Secure Renegotiation IS NOT supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| SSL-Session: | |
| Protocol : TLSv1.2 | |
| Cipher : 0000 | |
| Session-ID: | |
| Session-ID-ctx: | |
| Master-Key: | |
| Start Time: 1664305018 | |
| Timeout : 7200 (sec) | |
| Verify return code: 0 (ok) | |
| --- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment