This site can’t provide a secure connection - ERR_SSL_PROTOCOL_ERROR

[adviserportals]

We have a domain that is working with www but failing on non-www with:

This site can’t provide a secure connection
barkestoneassociates.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

The error logs say:

2021-03-08T15:15:48.737Z        info    tlslistener/tlslistenershandler.go:231  TLS Handshake   {"connection_id": "a3ebd36c-3b97-480b-b52c-a57fd412f171", "error": "have no certificate for domain"}
2021-03-08T15:15:48.811Z        info    cert_manager/manager.go:156     Get certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "original_domain": "barkestoneassociates.com"}
2021-03-08T15:15:48.812Z        error   cert_manager/manager.go:233     Can't get certificate from local state  {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "cert_name": "barkestoneassociates.com.ecdsa", "error": "x509: certificate is valid for www.barkestoneassocia$
github.com/rekby/lets-proxy2/internal/log.levelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:165
crypto/tls.(*Config).getCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230
2021-03-08T15:15:48.812Z        info    cert_manager/manager.go:166     Got certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "certificate": "tls nil", "error": "have no certificate for domain"}
2021-03-08T15:15:48.812Z        info    cert_manager/manager.go:171     ECDSA certificate was failed, try to get RSA certificate        {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)"}
2021-03-08T15:15:48.812Z        error   cert_manager/manager.go:233     Can't get certificate from local state  {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "retry_type": "rsa", "cert_name": "barkestoneassociates.com.rsa", "error": "x509: certificate is valid for ww$
github.com/rekby/lets-proxy2/internal/log.levelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:173
crypto/tls.(*Config).getCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230

It's almost as if it is trying to get a pre-existing certificate but is failing?

[rekby]

Hello.
It say about certificate can issued only for www variant.
I see many certificates issued for domain with www and no certificates for domain without www in transparent log.

Lets-proxy try get certificates for www and not www same time (by default). It mean about problem with issue certificate for barkestoneassociates.com without www.

Try to move out barkestoneassociates.com.* from storage, enable debug log in config, then connect to domain and send me logs from session with issue certificate. It will help to research about reason of error while issue certificate for non www domain.

[brandymedia]

Hi, thanks for the info.

The storage folder is not accessible when you try to cd in to it. Is it safe to change permissions to allow access?

Should enable debug log be done in my custom config.toml - then restart the service?

Thanks for your help.

[rekby]

storage folder created with rwx------ (0700) rights. It has full access from user, which start lets-proxy and no other user access.

You can access to it from root orlets-proxy's user.

Yes, you have to restrart service after change config.

[brandymedia]

I removed all records from the storage folder relating to the domain, set the config LogLevel = "debug" then restarted the service.

The domain now works on both www and non-www 👍🏻

The logs are as follows:

2021-03-11T09:20:42.182Z        debug   proxy/directors.go:74   Set target as same ip   {"connection_id": "d6fea9e3-ffda-4424-8a28-9a4e1f1ccf38", "local_addr": "82.71.181.185:443", "dest_host": "barkestoneassociates.com"}
2021-03-11T09:20:42.182Z        debug   proxy/directors.go:136  Parse remote addr for headers   {"connection_id": "d6fea9e3-ffda-4424-8a28-9a4e1f1ccf38", "host": "193.238.69.76", "port": "65271"}
2021-03-11T09:20:42.182Z        debug   proxy/transport.go:29   Use default http transport      {"connection_id": "d6fea9e3-ffda-4424-8a28-9a4e1f1ccf38"}
2021-03-11T09:20:46.832Z        debug   proxy/http-proxy.go:87  Get connection context for request      {"connection_id": "d6fea9e3-ffda-4424-8a28-9a4e1f1ccf38"}

It looks like this has resolved the issue but not sure what caused it in the first place.

I wonder whether there was any forwarding between the www and non-ww version which could have caused a problem.

Thanks for your help.

[rekby]

Ok.
It can be a bug in re-issue certificate and need to research it.
#149

[brandymedia]

👍🏻