INFO: [Oct 15 10:51:47.144] creating new server object from API response server=46c11588-8b63-4c03-82f9-54d157b34476
INFO: [Oct 15 10:51:47.144] creating new server object from API response server=852ac61e-8029-4587-959e-450971edeecd
INFO: [Oct 15 10:51:47.145] registering event listeners: console, state, resources... server=46c11588-8b63-4c03-82f9-54d157b34476
INFO: [Oct 15 10:51:47.146] registering event listeners: console, state, resources... server=852ac61e-8029-4587-959e-450971edeecd
DEBUG: [Oct 15 10:51:47.147] syncing stop configuration with configured docker environment server=46c11588-8b63-4c03-82f9-54d157b34476
DEBUG: [Oct 15 10:51:47.148] syncing stop configuration with configured docker environment server=852ac61e-8029-4587-959e-450971edeecd
INFO: [Oct 15 10:51:47.149] finished processing server configurations duration=5.705226ms
INFO: [Oct 15 10:51:47.158] loaded configuration for server server=46c11588-8b63-4c03-82f9-54d157b34476
INFO: [Oct 15 10:51:47.158] loaded configuration for server server=852ac61e-8029-4587-959e-450971edeecd
INFO: [Oct 15 10:51:47.160] configuring server environment and restoring to previous state server=852ac61e-8029-4587-959e-450971edeecd
INFO: [Oct 15 10:51:47.160] configuring server environment and restoring to previous state server=46c11588-8b63-4c03-82f9-54d157b34476
INFO: [Oct 15 10:51:47.166] detected server is running, re-attaching to process... server=46c11588-8b63-4c03-82f9-54d157b34476
INFO: [Oct 15 10:51:47.166] detected server is running, re-attaching to process... server=852ac61e-8029-4587-959e-450971edeecd
DEBUG: [Oct 15 10:51:47.187] saw server status change event server=852ac61e-8029-4587-959e-450971edeecd status=running
DEBUG: [Oct 15 10:51:47.192] starting resource polling for container container_id=852ac61e-8029-4587-959e-450971edeecd
DEBUG: [Oct 15 10:51:47.210] saw server status change event server=46c11588-8b63-4c03-82f9-54d157b34476 status=running
INFO: [Oct 15 10:51:47.215] configuring internal webserver host_address=0.0.0.0 host_port=8080 use_auto_tls=false use_ssl=true
DEBUG: [Oct 15 10:51:47.215] starting resource polling for container container_id=46c11588-8b63-4c03-82f9-54d157b34476
INFO: [Oct 15 10:51:47.216] sftp subsystem listening for connections host=0.0.0.0 port=2022
2020/10/15 10:51:52 http: TLS handshake error from xxx.xxx.xxx.58:54592: local error: tls: bad record MAC
2020/10/15 10:51:52 http: TLS handshake error from xxx.xxx.xxx.58:54594: local error: tls: bad record MAC
I’ve confirmed there’s not any faulty hardware or drivers through extensive testing inside and outside the OS. Turned off hardware preload to be sure with no repair. There’s no security issue. And the MTU is fine. I reported it since it’s a Go specific error and doesn’t provide enough information
Hi,
I am new to Vulcain, will try to explain the issue as good as possible.
At the moment I am facing an issue about TLS, this is what I execute to produce it:
curl 'https://localhost:8443' -X OPTIONS -H 'Sec-Fetch-Mode: no-cors' -H 'Access-Control-Request-Method: POST' curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Which results in the following log entry:
vulcain_1 | time="2020-04-06T18:51:56Z" level=info msg="Vulcain started" addr= protocol=https
vulcain_1 | 2020/04/06 18:52:04 http: TLS handshake error from 192.160.1.1:33854: local error: tls: bad record MAC
First I only used the image directly but this is impossible to debug so I created my own as follows:
Dockerfile
FROM alpine COPY --from=dunglas/vulcain /vulcain / EXPOSE 80 443 COPY entry-point.sh /entry-point RUN chmod +x /entry-point RUN ls -la / WORKDIR / ENV DEBUG=1 CMD /entry-point
entry-point.sh
#!/bin/sh # Make sure 'debug' env is set, which prints "1", weirdly enough vulcain reports that the erorr log level is INFO, issue for another day I guess.. echo "CUSTOM ENTRY POINT, env[DEBUG]: $DEBUG" # Make sure the certs are correctly mounted from dev-tls image (comes with api-platform (some php framework)) ls -la /certs # Start vulcain with some additional attempts (no GoLang experience..) to enable debugging to get any clue of what is going on... /vulcain --debug -vvv
This is the startup log:
Attaching to inventory_vulcain_1
vulcain_1 | CUSTOM ENTRY POINT, env[DEBUG]: 1
vulcain_1 | total 20
vulcain_1 | drwxr-xr-x 2 root root 4096 Mar 28 14:28 .
vulcain_1 | drwxr-xr-x 1 root root 4096 Apr 6 18:51 ..
vulcain_1 | -rw-r--r-- 1 root root 1484 Mar 28 14:25 localhost.crt
vulcain_1 | -rw------- 1 root root 1708 Mar 28 14:25 localhost.key
vulcain_1 | -rw-r--r-- 1 root root 3192 Mar 28 14:25 server.pem
vulcain_1 | time="2020-04-06T18:51:56Z" level=info msg="Vulcain started" addr= protocol=https
vulcain_1 | 2020/04/06 18:52:04 http: TLS handshake error from 192.160.1.1:33854: local error: tls: bad record MAC
Some additional info which might be interesting:
$ docker-compose ps ... inventory_vulcain_1 /bin/sh -c /entry-point Up 0.0.0.0:8443->443/tcp, 80/tcp $ ip addr list 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether e0:d5:5e:ad:4d:93 brd ff:ff:ff:ff:ff:ff inet 192.168.178.16/24 brd 192.168.178.255 scope global dynamic noprefixroute enp2s0 valid_lft 2803sec preferred_lft 2803sec inet6 2001:1c02:3608:5a00:e2d5:5eff:fead:4d93/128 scope global dynamic noprefixroute valid_lft 43551sec preferred_lft 14751sec inet6 2001:1c02:3608:5a00:64f1:c95:8445:18ab/64 scope global temporary dynamic valid_lft 57598sec preferred_lft 28798sec inet6 2001:1c02:3608:5a00:a254:3c48:e1f5:eece/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 57598sec preferred_lft 28798sec inet6 fe80::f072:b7e:12be:9908/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 30:24:32:dd:2c:aa brd ff:ff:ff:ff:ff:ff 611: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:49:dc:1f:b9 brd ff:ff:ff:ff:ff:ff inet 192.160.0.1/24 brd 192.160.0.255 scope global docker0 valid_lft forever preferred_lft forever 612: br-83afbf5f0e7b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:45:25:5b:0c brd ff:ff:ff:ff:ff:ff inet 192.160.1.1/24 brd 192.160.1.255 scope global br-83afbf5f0e7b valid_lft forever preferred_lft forever 630: vethe2a0b2f@if629: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-83afbf5f0e7b state UP group default link/ether 3a:b5:1e:ba:0f:94 brd ff:ff:ff:ff:ff:ff link-netnsid 1 632: veth9e8e091@if631: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-83afbf5f0e7b state UP group default link/ether 06:0a:e5:7d:18:af brd ff:ff:ff:ff:ff:ff link-netnsid 2 634: veth387d66d@if633: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-83afbf5f0e7b state UP group default link/ether 3e:ec:72:73:af:1d brd ff:ff:ff:ff:ff:ff link-netnsid 0 636: veth3475f84@if635: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-83afbf5f0e7b state UP group default link/ether 2a:a2:17:d0:8d:e2 brd ff:ff:ff:ff:ff:ff link-netnsid 3 638: veth0e9e1c7@if637: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-83afbf5f0e7b state UP group default link/ether 76:6c:7c:28:65:1f brd ff:ff:ff:ff:ff:ff link-netnsid 4 640: vetha177b13@if639: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-83afbf5f0e7b state UP group default link/ether 82:e9:bc:d1:28:41 brd ff:ff:ff:ff:ff:ff link-netnsid 5 # I have assigned a custom subnet for docker so it doesn't conflict with VPN connections $ cat /etc/docker/daemon.json { "default-address-pools": [ {"base":"192.160.1.0/16","size":24} ] }
Not a networking expert neither vulcain expert so I am not sure what to look for here.
If needed I could create a dockerfile for Golang and install from source and run the code directly and make some modifications to enable debug level logging, will work on that as soon as I have time in case no ideas have been brought up here yet about what could cause this issue.
Thanks in advance.
edit;
This is what is used to generate the certs you see in the directory listing:
# use this self-generated certificate only in dev, IT IS NOT SECURE! # https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact ARG NGINX_VERSION=1.17 FROM nginx:${NGINX_VERSION}-alpine # persistent / runtime deps RUN apk add --no-cache nss-tools ; WORKDIR /certs ARG MKCERT_VERSION=1.4.1 RUN set -eux; wget -O /usr/local/bin/mkcert https://github.com/FiloSottile/mkcert/releases/download/v$MKCERT_VERSION/mkcert-v$MKCERT_VERSION-linux-amd64; chmod +x /usr/local/bin/mkcert; mkcert --cert-file localhost.crt --key-file localhost.key localhost; # the file must be named server.pem - the default certificate path in webpack-dev-server cat localhost.key; cat localhost.crt; ls -la /certs; cat localhost.key localhost.crt > server.pem VOLUME /certs # add redirect from http://localhost to https://localhost RUN set -eux; { echo 'server {'; echo ' return 301 https://$host$request_uri;'; echo '}'; } | tee /etc/nginx/conf.d/default.conf
And these are the relevant parts of the docker-compose file:
api: build: context: ./api target: api_platform_nginx <<: *api-cache-from image: ${NGINX_IMAGE:-quay.io/api-platform/nginx} depends_on: - php volumes: - ./api/public:/srv/api/public:ro vulcain: #image: dunglas/vulcain build: ./docker/vulcain environment: - CERT_FILE=/certs/localhost.crt - KEY_FILE=/certs/localhost.key - UPSTREAM=http://api - DEBUG=1 depends_on: - api - dev-tls volumes: - dev-certs:/certs:ro ports: - target: 443 published: 8443 protocol: tcp dev-tls: build: context: ./docker/dev-tls volumes: - dev-certs:/certs:rw ports: - target: 80 published: 80 protocol: tcp volumes: dev-certs: {}
edit2;
Also regenerated the ssl certs using the readme from this repo to make sure the problem is not within the dev-tls image that comes with api-platform:
openssl req -x509 -newkey rsa:4096 -keyout localhost.key -out localhost.crt -days 365 # Remove the passphrase, otherwise you get the error from #13 openssl rsa -in localhost.key -out localhost.key $ openssl x509 -in localhost.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 70:9c:eb:9f:b8:06:c6:83:66:ba:8a:12:8e:0a:d8:75:72:05:17:37 Signature Algorithm: sha256WithRSAEncryption Issuer: C = NL, ST = NH, L = Amsterdam, O = Resourcefull, CN = localhost Validity Not Before: Apr 7 07:59:29 2020 GMT Not After : Apr 7 07:59:29 2021 GMT Subject: C = NL, ST = NH, L = Amsterdam, O = Resourcefull, CN = localhost
Unfortunately I still see exactly the same error after regenerating the ssl certs, updating docker-composer file to point to custom volume with new certs and rebuild: TLS handshake error from 192.160.1.1:57424: local error: tls: bad record MAC
-
kimb
Guest
2009-10-09 03:04
When uploading to a Filezilla server version 0.933 using SSL/TLS the upload fails with the server reporting:
Data connection SSL warning: SSL3 alert write: fatal: bad record mac
(This message comes from the filezilla log)
Research shows that this problem has occurred with clients that are compiled with older tls libraries (perhaps this is the problem).
Reply with quote
Advertisement
-
kimb
Guest
2009-10-09 03:10
Some additional info. I am using version 4.2.3(build 494) under Wine in Ubuntu Intrepid. I had the same problem with my previous version (I think it was 4.2.2). All other functions seem ok.
Here is an extract from the winscp log file at the point of failure:
> 2009-10-09 11:58:01.483 STOR NUnit-2.5.0.9122.msi
< 2009-10-09 11:58:02.150 150 Connection accepted
. 2009-10-09 11:58:02.834 SSL connection established
< 2009-10-09 11:58:04.383 426 Connection closed; transfer aborted.
. 2009-10-09 11:58:04.383 Copying files to remote side failed.
* 2009-10-09 11:58:04.383 (ExtException) Copying files to remote side failed.
* 2009-10-09 11:58:04.383 Connection closed; transfer aborted.
. 2009-10-09 11:58:04.384 Asking user:
. 2009-10-09 11:58:04.384 Error transferring file ‘C:userskimDesktopNUnit-2.5.0.9122.msi’. («Copying files to remote side failed.»,»Connection closed; transfer aborted.»)
* 2009-10-09 11:58:07.079 (EScpSkipFile) Error transferring file ‘C:userskimDesktopNUnit-2.5.0.9122.msi’.
* 2009-10-09 11:58:07.079 Copying files to remote side failed.
* 2009-10-09 11:58:07.079 Connection closed; transfer aborted.
Reply with quote
-
martin◆
Site Admin -
- Joined:
- 2002-12-10
- Posts:
- 38,461
- Location:
- Prague, Czechia
2009-10-09
Research shows that this problem has occurred with clients that are compiled with older tls libraries (perhaps this is the problem).
What older tls libraries?
Reply with quote
-
Sivaranjani
Guest
2016-05-17 08:19
older libraries means what?
what does it contains?
what are available in new libraries that not in older one?
Reply with quote
Advertisement