We have a few docker containers behind an Nginx container. This Nginx container has SSL configured with certificates mounted as a docker volume
The certificate shows as a trusted one in all browsers and Linux machines. However, for a Windows machine, it only works for a few hours (this is completely random, we have seen this failing in less than 24 hours, and sometimes only around 36 hours or so). The Chrome browser still shows the certificate as trusted however a curl
from a Windows system doesn't work. We have a few windows binaries which also error out because of the same SSL error. The errors persist forever unless the below-mentioned workaround is not done. We tried installing a GitBash prompt in Windows and that works and shows the certificate as trusted
One thing that we identified is: Replacing the certificate files with the EXACT SAME files and restarting the Nginx container works again FOR ANOTHER FEW HOURS. However, just a restart doesn't help much!
curl
outputcurl -v https://staging.app.com 2945ms
* Rebuilt URL to: https://staging.app.com/
* Trying 172.17.18.50...
* TCP_NODELAY set
* Connected to staging.app.com (172.17.18.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=staging.app.com
* start date: Jul 16 07:14:20 2020 GMT
* expire date: Oct 14 07:14:20 2020 GMT
* subjectAltName: host "staging.app.com" matched cert's "staging.app.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: staging.app.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 307 Temporary Redirect
< Server: nginx
< Date: Wed, 22 Jul 2020 14:35:34 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: csrf_cookie=0560637c1c9393f3f1ac746d5f5026be; expires=Thu, 23-Jul-2020 14:35:34 GMT; Max-Age=86400; path=/; HttpOnly
< Set-Cookie: sc_sessions=4cbb7d275ca432e04e2cc410045b8dbeb857b5e4; expires=Thu, 23-Jul-2020 14:35:34 GMT; Max-Age=86400; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Location: https://staging.app.com/login/loginPage
< Strict-Transport-Security: max-age=63072000; includeSubdomains
<
* Connection #0 to host staging.app.com left intact
curl
output (this is only for a few hours)curl -v https://staging.app.com/
* Trying 172.17.18.50
* TCP_NODELAY set
* Connected to staging.app.com (172.17.18.50) port 443 (#0)
* schannel: SSL/TLS connection with staging.app.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 182 bytes...
* schannel: sent initial handshake data: sent 182 bytes
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4022
* schannel: encrypted data buffer: offset 4022 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5046 length 5046
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 6070 length 6070
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 7094 length 7094
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 8118 length 8118
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 9142 length 9142
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 10166 length 10166
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 11190 length 11190
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 12214 length 12214
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 13238 length 13238
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 14262 length 14262
* schannel: encrypted data length: 97
* schannel: encrypted data buffer: offset 97 length 14262
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 217
* schannel: encrypted data buffer: offset 314 length 14262
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 274
* schannel: encrypted data buffer: offset 274 length 14262
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with staging.app.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /AgentApi/testConnection HTTP/1.1
> Host: staging.app.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 296
* schannel: encrypted data buffer: offset 296 length 103424
* schannel: decrypted data length: 267
* schannel: decrypted data added: 267
* schannel: decrypted data cached: offset 267 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 267 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 267
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 22 Jul 2020 14:28:51 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< Strict-Transport-Security: max-age=63072000; includeSubdomains
<
success* Connection #0 to host staging.app.com left intact
curl
outputcurl -v https://staging.app.com
* Trying 172.17.18.50...
* TCP_NODELAY set
* Connected to staging.app.com (172.17.18.50) port 443 (#0)
* schannel: SSL/TLS connection with staging.app.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 186 bytes...
* schannel: sent initial handshake data: sent 186 bytes
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4022
* schannel: encrypted data buffer: offset 4022 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5046 length 5046
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 6070 length 6070
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 7094 length 7094
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 8118 length 8118
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 9142 length 9142
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 10166 length 10166
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 11190 length 11190
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 12214 length 12214
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 13238 length 13238
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 14262 length 14262
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 15286 length 15286
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 16310 length 16310
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with staging.app.com port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 17334 length 17334
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with staging.app.com port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
The following is our ssl.conf
# Default self-signed SSL certificate generated at startup
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# SSL sessions
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# Cannot be generated at startup as it takes a very long time to create.
# Could be mounted as a volume and enabled in custom sites.
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# OCSP Stapling
# Disabled for default certificate. Can be enabled for custom sites.
# ssl_stapling on;
# ssl_stapling_verify on;
# TLS 1.2 only
# TODO: Remove TLS1 as this is insecure as soon as agents support >=TLS1.2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Disable weak ciphers
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
proxy_ssl_ciphers HIGH:MEDIUM:!MD5:!RC4:!3DES;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
User contributions licensed under CC BY-SA 3.0